SigmaHQ/rules/windows/process_creation/win_susp_fsutil_usage.yml

title: Fsutil Suspicious Invocation
id: add64136-62e5-48ea-807e-88638d02df1e
description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size..). Might be used by ransomwares during the attack (seen by NotPetya and others)
author: Ecco, E.M. Anhaus, oscd.community
date: 2019/09/26
modified: 2019/11/11
level: high
references:
    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml
    - https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html
tags:
    - attack.defense_evasion
    - attack.t1070
logsource:
    category: process_creation
    product: windows
detection:
    binary_1:
        Image|endswith: '\fsutil.exe'
    binary_2:
        OriginalFileName: 'fsutil.exe'
    selection:
        CommandLine|contains:
            - 'deletejournal'  # usn deletejournal ==> generally ransomware or attacker
            - 'createjournal'  # usn createjournal ==> can modify config to set it to a tiny size
    condition: (1 of binary_*) and selection
falsepositives:
    - Admin activity
    - Scripts and administrative tools used in the monitored environment
fix: fixed casing and long rule titles 2020-01-30 16:26:09 +00:00			`title: Fsutil Suspicious Invocation`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: add64136-62e5-48ea-807e-88638d02df1e`
move wevtutil / fsutil events from ransomware to dedicated rules 2019-09-06 14:57:03 +00:00			`description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size..). Might be used by ransomwares during the attack (seen by NotPetya and others)`
modify rules based on BSI contribution 2019-11-13 21:23:16 +00:00			`author: Ecco, E.M. Anhaus, oscd.community`
move wevtutil / fsutil events from ransomware to dedicated rules 2019-09-06 14:57:03 +00:00			`date: 2019/09/26`
modify rules based on BSI contribution 2019-11-13 21:23:16 +00:00			`modified: 2019/11/11`
move wevtutil / fsutil events from ransomware to dedicated rules 2019-09-06 14:57:03 +00:00			`level: high`
			`references:`
			`- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn`
modify rules based on BSI contribution 2019-11-13 21:23:16 +00:00			`- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml`
			`- https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html`
			`tags:`
			`- attack.defense_evasion`
			`- attack.t1070`
move wevtutil / fsutil events from ransomware to dedicated rules 2019-09-06 14:57:03 +00:00			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`binary_1:`
modify rules based on BSI contribution 2019-11-13 21:23:16 +00:00			`Image\|endswith: '\fsutil.exe'`
move wevtutil / fsutil events from ransomware to dedicated rules 2019-09-06 14:57:03 +00:00			`binary_2:`
			`OriginalFileName: 'fsutil.exe'`
			`selection:`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`CommandLine\|contains:`
Fixed rules that likely will cause false negatives by fix 2020-03-01 22:14:53 +00:00			`- 'deletejournal' # usn deletejournal ==> generally ransomware or attacker`
			`- 'createjournal' # usn createjournal ==> can modify config to set it to a tiny size`
move wevtutil / fsutil events from ransomware to dedicated rules 2019-09-06 14:57:03 +00:00			`condition: (1 of binary_*) and selection`
			`falsepositives:`
			`- Admin activity`
			`- Scripts and administrative tools used in the monitored environment`