rules/windows/process_creation/proc_creation_win_fsutil_usage.yml

title: Fsutil Suspicious Invocation
id: add64136-62e5-48ea-807e-88638d02df1e
status: stable
description: |
  Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).
  Might be used by ransomwares during the attack (seen by NotPetya and others).
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md
    - https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html
    - https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md
    - https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt
author: Ecco, E.M. Anhaus, oscd.community
date: 2019-09-26
modified: 2023-09-09
tags:
    - attack.defense-evasion
    - attack.impact
    - attack.t1070
    - attack.t1485
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\fsutil.exe'
        - OriginalFileName: 'fsutil.exe'
    selection_cli:
        CommandLine|contains:
            - 'deletejournal'        # usn deletejournal ==> generally ransomware or attacker
            - 'createjournal'        # usn createjournal ==> can modify config to set it to a tiny size
            - 'setZeroData'          # file setZeroData  ==> empties a file with zeroes
    condition: all of selection_*
falsepositives:
    - Admin activity
    - Scripts and administrative tools used in the monitored environment
level: high
fix: fixed casing and long rule titles 2020-01-30 17:26:09 +01:00			`title: Fsutil Suspicious Invocation`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: add64136-62e5-48ea-807e-88638d02df1e`
chore: promote status of rules 2022-03-30 11:15:54 +02:00			`status: stable`
$frack113$ order yaml 2022-10-28 15:06:36 +02:00			`description: \|`
			`Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).`
			`Might be used by ransomwares during the attack (seen by NotPetya and others).`
move wevtutil / fsutil events from ransomware to dedicated rules 2019-09-06 10:57:03 -04:00			`references:`
Merge PR #4893 from @ryanplasma - Update Microsoft references URLS 2024-07-02 06:00:11 -04:00			`- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn`
Update Ref+Selection 2 2022-07-11 17:48:40 +01:00			`- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md`
			`- https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html`
$frack113$ Merge PR #4435 from @frack113 - Update Fsutil Suspicious Invocation 2023-09-11 00:30:24 +02:00			`- https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md`
			`- https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt`
$frack113$ order yaml 2022-10-28 15:06:36 +02:00			`author: Ecco, E.M. Anhaus, oscd.community`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`date: 2019-09-26`
			`modified: 2023-09-09`
$frack113$ order yaml 2022-10-28 15:06:36 +02:00			`tags:`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`- attack.defense-evasion`
$frack113$ Merge PR #4435 from @frack113 - Update Fsutil Suspicious Invocation 2023-09-11 00:30:24 +02:00			`- attack.impact`
$frack113$ order yaml 2022-10-28 15:06:36 +02:00			`- attack.t1070`
$frack113$ Merge PR #4435 from @frack113 - Update Fsutil Suspicious Invocation 2023-09-11 00:30:24 +02:00			`- attack.t1485`
move wevtutil / fsutil events from ransomware to dedicated rules 2019-09-06 10:57:03 -04:00			`logsource:`
Update Ref+Selection 2 2022-07-11 17:48:40 +01:00			`category: process_creation`
			`product: windows`
move wevtutil / fsutil events from ransomware to dedicated rules 2019-09-06 10:57:03 -04:00			`detection:`
Update Ref+Selection 2 2022-07-11 17:48:40 +01:00			`selection_img:`
			`- Image\|endswith: '\fsutil.exe'`
			`- OriginalFileName: 'fsutil.exe'`
			`selection_cli:`
			`CommandLine\|contains:`
			`- 'deletejournal' # usn deletejournal ==> generally ransomware or attacker`
			`- 'createjournal' # usn createjournal ==> can modify config to set it to a tiny size`
$frack113$ Merge PR #4435 from @frack113 - Update Fsutil Suspicious Invocation 2023-09-11 00:30:24 +02:00			`- 'setZeroData' # file setZeroData ==> empties a file with zeroes`
Update Ref+Selection 2 2022-07-11 17:48:40 +01:00			`condition: all of selection_*`
move wevtutil / fsutil events from ransomware to dedicated rules 2019-09-06 10:57:03 -04:00			`falsepositives:`
Update Ref+Selection 2 2022-07-11 17:48:40 +01:00			`- Admin activity`
			`- Scripts and administrative tools used in the monitored environment`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`level: high`