Skip to content

Hide Navigation Hide TOC

Potentially Suspicious NTFS Symlink Behavior Modification (c0b2768a-dd06-4671-8339-b16ca8d1f27f)

Detects the modification of NTFS symbolic link behavior using fsutil, which could be used to enable remote to local or remote to remote symlinks for potential attacks.

Cluster A Galaxy A Cluster B Galaxy B Level
Potentially Suspicious NTFS Symlink Behavior Modification (c0b2768a-dd06-4671-8339-b16ca8d1f27f) Sigma-Rules Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 1
Potentially Suspicious NTFS Symlink Behavior Modification (c0b2768a-dd06-4671-8339-b16ca8d1f27f) Sigma-Rules Windows File and Directory Permissions Modification - T1222.001 (34e793de-0274-4982-9c1a-246ed1c19dee) Attack Pattern 1
File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196) Attack Pattern Windows File and Directory Permissions Modification - T1222.001 (34e793de-0274-4982-9c1a-246ed1c19dee) Attack Pattern 2