Fsutil Suspicious Invocation
Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others).
Sigma rule (View on GitHub)
1title: Fsutil Suspicious Invocation
2id: add64136-62e5-48ea-807e-88638d02df1e
3status: stable
4description: |
5 Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).
6 Might be used by ransomwares during the attack (seen by NotPetya and others).
7references:
8 - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md
10 - https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html
11 - https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md
12 - https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt
13author: Ecco, E.M. Anhaus, oscd.community
14date: 2019-09-26
15modified: 2023-09-09
16tags:
17 - attack.impact
18 - attack.stealth
19 - attack.t1070
20 - attack.t1485
21logsource:
22 category: process_creation
23 product: windows
24detection:
25 selection_img:
26 - Image|endswith: '\fsutil.exe'
27 - OriginalFileName: 'fsutil.exe'
28 selection_cli:
29 CommandLine|contains:
30 - 'deletejournal' # usn deletejournal ==> generally ransomware or attacker
31 - 'createjournal' # usn createjournal ==> can modify config to set it to a tiny size
32 - 'setZeroData' # file setZeroData ==> empties a file with zeroes
33 condition: all of selection_*
34falsepositives:
35 - Admin activity
36 - Scripts and administrative tools used in the monitored environment
37level: high
References
Related rules
- Potential BlackByte Ransomware Activity
- Potential Secure Deletion with SDelete
- AWS SAML Provider Deletion Activity
- Audit CVE Event
- Cisco File Deletion