Skip to content

Hide Navigation Hide TOC

Fsutil Suspicious Invocation (add64136-62e5-48ea-807e-88638d02df1e)

Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others).

Cluster A Galaxy A Cluster B Galaxy B Level
Fsutil Suspicious Invocation (add64136-62e5-48ea-807e-88638d02df1e) Sigma-Rules Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c) Attack Pattern 1
Fsutil Suspicious Invocation (add64136-62e5-48ea-807e-88638d02df1e) Sigma-Rules Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 1