← Back to Explore
sigmahighTTP
Fsutil Suspicious Invocation
Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others).
Detection Query
selection_img:
- Image|endswith: \fsutil.exe
- OriginalFileName: fsutil.exe
selection_cli:
CommandLine|contains:
- deletejournal
- createjournal
- setZeroData
condition: all of selection_*
Author
Ecco, E.M. Anhaus, oscd.community
Created
2019-09-26
Data Sources
windowsProcess Creation Events
Platforms
windows
References
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md
- https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html
- https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md
- https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt
Tags
attack.defense-evasionattack.impactattack.t1070attack.t1485
Raw Content
title: Fsutil Suspicious Invocation
id: add64136-62e5-48ea-807e-88638d02df1e
status: stable
description: |
Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).
Might be used by ransomwares during the attack (seen by NotPetya and others).
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md
- https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html
- https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md
- https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt
author: Ecco, E.M. Anhaus, oscd.community
date: 2019-09-26
modified: 2023-09-09
tags:
- attack.defense-evasion
- attack.impact
- attack.t1070
- attack.t1485
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\fsutil.exe'
- OriginalFileName: 'fsutil.exe'
selection_cli:
CommandLine|contains:
- 'deletejournal' # usn deletejournal ==> generally ransomware or attacker
- 'createjournal' # usn createjournal ==> can modify config to set it to a tiny size
- 'setZeroData' # file setZeroData ==> empties a file with zeroes
condition: all of selection_*
falsepositives:
- Admin activity
- Scripts and administrative tools used in the monitored environment
level: high