Fsutil Behavior Set SymlinkEvaluation
A symbolic link is a type of file that contains a reference to another file. This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt
Sigma rule (View on GitHub)
1title: Fsutil Behavior Set SymlinkEvaluation
2id: c0b2768a-dd06-4671-8339-b16ca8d1f27f
3status: test
4description: |
5 A symbolic link is a type of file that contains a reference to another file.
6 This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt
7references:
8 - https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware
9 - https://docs.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior
10author: frack113
11date: 2022/03/02
12modified: 2023/01/19
13tags:
14 - attack.execution
15 - attack.t1059
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - Image|endswith: '\fsutil.exe'
22 - OriginalFileName: 'fsutil.exe'
23 selection_cli:
24 CommandLine|contains|all:
25 - 'behavior '
26 - 'set '
27 - 'SymlinkEvaluation'
28 condition: all of selection_*
29falsepositives:
30 - Legitimate use
31level: medium
References
-
BlackCat Ransomware gained notoriety quickly leaving a trail of destruction behind it, among its recent victims are German oil companies, an Italian luxury fashion brand and a Swiss Aviation company. Cybereason XDR detects and blocks BlackCat Ransomware...
Read More -
Article de référence pour la commande fsutil behavior, qui interroge ou définit le comportement du volume NTFS.
Read More
Related rules
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
- Perl Inline Command Execution
- Php Inline Command Execution
- Ruby Inline Command Execution