Detection rules › Sigma
Fsutil Suspicious Invocation
Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others).
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1070 Indicator Removal |
| Impact | T1485 Data Destruction |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: all of selection_img
or:
Image|endswith: '\fsutil.exe'
OriginalFileName: fsutil.exe
Stage 2: all of selection_cli
or:
CommandLine|contains: createjournal
CommandLine|contains: deletejournal
CommandLine|contains: setZeroData
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
Image | ends_with |
|
OriginalFileName | eq |
|