Fsutil (7a829dae-00cf-4321-95b4-276f7dfb5368)
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: File System Utility
Author: Elliot Killick
Paths: * C:\Windows\System32\fsutil.exe * C:\Windows\SysWOW64\fsutil.exe
Resources: * https://twitter.com/0gtweet/status/1720724516324704404
Detection: * IOC: fsutil.exe should not be run on a normal workstation * IOC: file setZeroData (not case-sensitive) in the process arguments * IOC: Sysmon Event ID 1 * IOC: Execution of process fsutil.exe with trace decode could be suspicious * IOC: Non-Windows netsh.exe execution * Sigma: proc_creation_win_susp_fsutil_usage.yml[Fsutil.exe - LOLBAS Project]
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Fsutil (7a829dae-00cf-4321-95b4-276f7dfb5368) | Tidal Software | Gold Dupont (ebf63407-9772-4f38-93ad-48b8c9bb0bcf) | Tidal Groups | 1 |