Suspicious Fsutil.EXE Child Process

Rule Info

Name
Suspicious Fsutil.EXE Child Process
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects child process of "fsutil.exe" starting from uncommon locations. Starting from Windows 11 the "fsutil.exe" utility introduced a commandline flag called "trace". It allows the user to start, stop, query and decode an NTFS trace information. Internally these sub flags will make use of the "netsh.exe" and "logman.exe" utilities to decode and handle the trace respectively. An attacker can plant a fake instance of "netsh.exe" or "logman.exe" in the current directory of execution and get them launched by "fsutil.exe".
Reference
https://lolbas-project.github.io/lolbas/Binaries/Fsutil/
Date
2024-06-06 00:00:00
Modified
None
Id
b325d28f-a2ac-483c-959c-f44403d0878c
Tags
attack.defense_evasion attack.impact attack.execution attack.t1070 attack.t1485
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022