2019-09-06 14:57:03 +00:00
title : Fsutil suspicious invocation
2019-11-12 22:12:27 +00:00
id : add64136-62e5-48ea-807e-88638d02df1e
description : Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size..). Might be used by ransomwares during the attack (seen
by NotPetya and others)
2019-09-06 14:57:03 +00:00
author : Ecco
date : 2019 /09/26
level : high
references :
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
logsource :
category : process_creation
product : windows
detection :
binary_1 :
Image : '*\fsutil.exe'
binary_2 :
OriginalFileName : 'fsutil.exe'
selection :
CommandLine :
- '* deletejournal *' # usn deletejournal ==> generally ransomware or attacker
- '* createjournal *' # usn createjournal ==> can modify config to set it to a tiny size
condition : (1 of binary_*) and selection
falsepositives :
- Admin activity
- Scripts and administrative tools used in the monitored environment
