Fsutil Suspicious Invocation

Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others).

Sigma rule (View on GitHub)

 1title: Fsutil Suspicious Invocation
 2id: add64136-62e5-48ea-807e-88638d02df1e
 3status: stable
 4description: |
 5  Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).
 6  Might be used by ransomwares during the attack (seen by NotPetya and others).  
 7references:
 8    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md
10    - https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html
11    - https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md
12    - https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt
13author: Ecco, E.M. Anhaus, oscd.community
14date: 2019-09-26
15modified: 2023-09-09
16tags:
17    - attack.defense-evasion
18    - attack.impact
19    - attack.t1070
20    - attack.t1485
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection_img:
26        - Image|endswith: '\fsutil.exe'
27        - OriginalFileName: 'fsutil.exe'
28    selection_cli:
29        CommandLine|contains:
30            - 'deletejournal'        # usn deletejournal ==> generally ransomware or attacker
31            - 'createjournal'        # usn createjournal ==> can modify config to set it to a tiny size
32            - 'setZeroData'          # file setZeroData  ==> empties a file with zeroes
33    condition: all of selection_*
34falsepositives:
35    - Admin activity
36    - Scripts and administrative tools used in the monitored environment
37level: high

References

Related rules

to-top