Fsutil Suspicious Invocation
Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others).
Sigma rule (View on GitHub)
1title: Fsutil Suspicious Invocation
2id: add64136-62e5-48ea-807e-88638d02df1e
3status: stable
4description: |
5 Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).
6 Might be used by ransomwares during the attack (seen by NotPetya and others).
7references:
8 - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md
10 - https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html
11 - https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md
12 - https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt
13author: Ecco, E.M. Anhaus, oscd.community
14date: 2019-09-26
15modified: 2023-09-09
16tags:
17 - attack.defense-evasion
18 - attack.impact
19 - attack.t1070
20 - attack.t1485
21logsource:
22 category: process_creation
23 product: windows
24detection:
25 selection_img:
26 - Image|endswith: '\fsutil.exe'
27 - OriginalFileName: 'fsutil.exe'
28 selection_cli:
29 CommandLine|contains:
30 - 'deletejournal' # usn deletejournal ==> generally ransomware or attacker
31 - 'createjournal' # usn createjournal ==> can modify config to set it to a tiny size
32 - 'setZeroData' # file setZeroData ==> empties a file with zeroes
33 condition: all of selection_*
34falsepositives:
35 - Admin activity
36 - Scripts and administrative tools used in the monitored environment
37level: high
References
Related rules
- Potential BlackByte Ransomware Activity
- AWS EFS Fileshare Mount Modified or Deleted
- AWS EKS Cluster Created or Deleted
- Audit CVE Event
- Azure Application Deleted