Fsutil Behavior Set SymlinkEvaluation

calendar Aug 12, 2024 · attack.execution attack.t1059  ·
Share on: linkedin copy

A symbolic link is a type of file that contains a reference to another file. This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt

Sigma rule (View on GitHub)

 1title: Fsutil Behavior Set SymlinkEvaluation
 2id: c0b2768a-dd06-4671-8339-b16ca8d1f27f
 3status: test
 4description: |
 5    A symbolic link is a type of file that contains a reference to another file.
 6    This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt    
 7references:
 8    - https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware
 9    - https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior
10author: frack113
11date: 2022-03-02
12modified: 2023-01-19
13tags:
14    - attack.execution
15    - attack.t1059
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_img:
21        - Image|endswith: '\fsutil.exe'
22        - OriginalFileName: 'fsutil.exe'
23    selection_cli:
24        CommandLine|contains|all:
25            - 'behavior '
26            - 'set '
27            - 'SymlinkEvaluation'
28    condition: all of selection_*
29falsepositives:
30    - Legitimate use
31level: medium

References

  • Cybereason vs. BlackCat Ransomware

    BlackCat Ransomware gained notoriety quickly leaving a trail of destruction behind it, among its recent victims are German oil companies, an Italian luxury fashion brand and a Swiss Aviation company. Cybereason XDR detects and blocks BlackCat Ransomware...


    Read More

  • fsutil behavior

    Article de référence pour la commande fsutil behavior, qui interroge ou définit le comportement du volume NTFS.


    Read More

Related rules

to-top