2020-01-30 16:26:09 +00:00
title : Fsutil Suspicious Invocation
2019-11-12 22:12:27 +00:00
id : add64136-62e5-48ea-807e-88638d02df1e
2019-09-06 14:57:03 +00:00
description : Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size..). Might be used by ransomwares during the attack (seen by NotPetya and others)
2019-11-13 21:23:16 +00:00
author : Ecco, E.M. Anhaus, oscd.community
2019-09-06 14:57:03 +00:00
date : 2019 /09/26
2019-11-13 21:23:16 +00:00
modified : 2019 /11/11
2019-09-06 14:57:03 +00:00
level : high
references :
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
2019-11-13 21:23:16 +00:00
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml
- https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html
tags :
- attack.defense_evasion
- attack.t1070
2019-09-06 14:57:03 +00:00
logsource :
category : process_creation
product : windows
detection :
binary_1 :
2019-11-13 21:23:16 +00:00
Image|endswith : '\fsutil.exe'
2019-09-06 14:57:03 +00:00
binary_2 :
OriginalFileName : 'fsutil.exe'
selection :
2019-11-13 21:23:16 +00:00
CommandLine|contains :
2020-03-01 22:14:53 +00:00
- 'deletejournal' # usn deletejournal ==> generally ransomware or attacker
- 'createjournal' # usn createjournal ==> can modify config to set it to a tiny size
2019-09-06 14:57:03 +00:00
condition : (1 of binary_*) and selection
falsepositives :
- Admin activity
- Scripts and administrative tools used in the monitored environment