title: Fsutil Suspicious Invocation
id: add64136-62e5-48ea-807e-88638d02df1e
status: stable
description: |
  Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).
  Might be used by ransomwares during the attack (seen by NotPetya and others).
references:
    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md
    - https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html
author: Ecco, E.M. Anhaus, oscd.community
date: 2019/09/26
modified: 2022/07/11
tags:
    - attack.defense_evasion
    - attack.t1070
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\fsutil.exe'
        - OriginalFileName: 'fsutil.exe'
    selection_cli:
        CommandLine|contains:
            - 'deletejournal'        # usn deletejournal ==> generally ransomware or attacker
            - 'createjournal'        # usn createjournal ==> can modify config to set it to a tiny size
    condition: all of selection_*
falsepositives:
    - Admin activity
    - Scripts and administrative tools used in the monitored environment
level: high