Fsutil Suspicious Invocation

 1title: Fsutil Suspicious Invocation
 2id: add64136-62e5-48ea-807e-88638d02df1e
 3status: stable
 4description: |
 5  Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).
 6  Might be used by ransomwares during the attack (seen by NotPetya and others).  
 7references:
 8    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md
10    - https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html
11    - https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md
12    - https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt
13author: Ecco, E.M. Anhaus, oscd.community
14date: 2019-09-26
15modified: 2023-09-09
16tags:
17    - attack.defense-evasion
18    - attack.impact
19    - attack.t1070
20    - attack.t1485
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection_img:
26        - Image|endswith: '\fsutil.exe'
27        - OriginalFileName: 'fsutil.exe'
28    selection_cli:
29        CommandLine|contains:
30            - 'deletejournal'        # usn deletejournal ==> generally ransomware or attacker
31            - 'createjournal'        # usn createjournal ==> can modify config to set it to a tiny size
32            - 'setZeroData'          # file setZeroData  ==> empties a file with zeroes
33    condition: all of selection_*
34falsepositives:
35    - Admin activity
36    - Scripts and administrative tools used in the monitored environment
37level: high

References

• fsutil usn

  

  Reference article for the fsutil usn command, which manages the update sequence number (USN) change journal.

  
  Read More

• atomic-red-team/atomics/T1070/T1070.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• Delete Volume USN Journal with fsutil — EQL Analytics Library documentation

  © Copyright 2019, Endgame Revision 30243396.

  
  Read More

• malware-notes/Ransomware/Lockbit.md at 558898932c1579ff589290092a2c8febefc3a4c9 · albertzsigovits/malware-notes

  

  Notes and IoCs of fresh malware. Contribute to albertzsigovits/malware-notes development by creating an account on GitHub.

  
  Read More

• The Cluster25 Blog

  The Cluster25 Blog

  
  Read More

Related rules

• Potential BlackByte Ransomware Activity
• Secure Deletion with SDelete
• AWS EFS Fileshare Mount Modified or Deleted
• AWS EKS Cluster Created or Deleted
• Audit CVE Event