Suspicious Fsutil Execution Allowing Remote Connections
Detects the use of fsutil to permit additional types of symbolic links on a computer. These can be used to enable ransomware to follow shortcusts to find all files it wants to encrypt.
Sigma rule (View on GitHub)
1title: Suspicious Fsutil Execution Allowing Remote Connections
2id: 27e58290-85bf-4bd4-8eab-1c493139b659
3status: experimental
4description: Detects the use of fsutil to permit additional types of symbolic links on a computer. These can be used to enable ransomware to follow shortcusts to find all files it wants to encrypt.
5references:
6 - https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/
7 - https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware
8author: Micah Babinski
9date: 2022/12/05
10tags:
11 - attack.persistence
12 - attack.t1547
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 Image|endswith: '\fsutil.exe'
19 CommandLine|contains|all:
20 - 'behavior'
21 - 'set'
22 - 'SymlinkEvaluation'
23 CommandLine|re: '^.*(R|L)2(R|L):1.*$'
24 condition: selection
25falsepositives:
26 - Unknown
27level: high```
References
-
The use of an unconventional programming language, multiple target devices and possible entry points, and affiliation with prolific threat activity groups have made the BlackCat ransomware a prevalent threat and a prime example of the growing ransomware-as-a-service (RaaS) gig economy.
Read More -
BlackCat Ransomware gained notoriety quickly leaving a trail of destruction behind it, among its recent victims are German oil companies, an Italian luxury fashion brand and a Swiss Aviation company. Cybereason XDR detects and blocks BlackCat Ransomware...
Read More
Related rules
- Suspicious Schtasks Child Process
- Suspicious Calc DLL Load
- Chrome Spawned by Powershell with Load-Extension in Command Line
- Command Shell Unusual or Suspicious Process Ancestry
- Windows Scheduled Task Behaving Improperly or Suspiciously