Large File Creation Via Fsutil

Rule Info

Name
Large File Creation Via Fsutil
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects fsutil being used to create a new file with a suspiciously large size. Threat actors abuse this technique to fill all available disk space, exhausting the filesystem and preventing the OS from writing logs, recovery artifacts, or any new data.
Reference
https://securelist.com/tr/lotus-wiper/119472/
Date
2026-05-04 00:00:00
Modified
None
Id
374b6faf-d695-4151-8e03-5de612ee82ff
Tags
attack.impact attack.t1485
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022