Fsutil Behavior Set SymlinkEvaluation

A symbolic link is a type of file that contains a reference to another file. This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt

Sigma rule (View on GitHub)

 1title: Fsutil Behavior Set SymlinkEvaluation
 2id: c0b2768a-dd06-4671-8339-b16ca8d1f27f
 3status: test
 4description: |
 5    A symbolic link is a type of file that contains a reference to another file.
 6    This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt    
 7references:
 8    - https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware
 9    - https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior
10author: frack113
11date: 2022-03-02
12modified: 2023-01-19
13tags:
14    - attack.execution
15    - attack.t1059
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_img:
21        - Image|endswith: '\fsutil.exe'
22        - OriginalFileName: 'fsutil.exe'
23    selection_cli:
24        CommandLine|contains|all:
25            - 'behavior '
26            - 'set '
27            - 'SymlinkEvaluation'
28    condition: all of selection_*
29falsepositives:
30    - Legitimate use
31level: medium

References

Related rules

to-top