Fsutil Suspicious Invocation
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
Fsutil Suspicious Invocation | Standard | Windows | Impact: Data Destruction (T1485),"Defense Evasion: Indicator Removal (T1070)" | Trouble |
About the rule
Rule Type
Standard
Rule Description
Fsutil.exe is a legitimate Windows command-line tool used for managing and querying file systems on NTFS and FAT volumes. Its wide-ranging capabilities include operations on USN journals, disk allocation, and file manipulation. Attackers frequently abuse fsutil.exe with dangerous parameters, such as deleting the USN journal, zeroing file contents, or modifying disk configuration to evade defenses, destroy forensic evidence, or prepare for data destruction.
Severity
Trouble
Rule journey
Attack chain scenario
Initial access → Abuse of fsutil.exe → Defense evasion/data destruction → Impact
Impact
- Log/file deletion
- Data destruction
- Hiding malicious activity
- System compromise
Rule Requirement
Prerequisites
Use the Group Policy Management Console to audit process creation and process termination.
Install Sysmon from Microsoft Sysinternals and download the Sysmon configuration file that includes process creation monitoring. Add network connection events to the configuration file to monitor all network activity.
Create a new registry key "Microsoft-Windows-Sysmon/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\" if not already created.
Criteria
Action1: actionname = "Process started" AND (PROCESSNAME endswith "\fsutil.exe" OR ORIGINALFILENAME = "fsutil.exe") AND COMMANDLINE contains "deletejournal,createjournal,setZeroData" select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
Data Destruction (T1485),"Defense Evasion: Indicator Removal (T1070)"
Security Standards
Enabling this rule will help you meet the security standard's requirement listed below:
DE.CM-01: Networks and network services are monitored to find potentially adverse events.
When this rule is triggered, you’re notified of a suspicious invocation of fsutil.exe, such as deletion of the USN journal, zeroing out file data, or manipulating file system behavior in ways that deviate from normal administrative activity. This enables you to promptly review command-line behavior, analyze user context, and identify attempts at defense evasion, destructive actions, or anti-forensic measures.
Author
Ecco, E.M. Anhaus, oscd.community
Future actions
Known False Positives
This rule may trigger during legitimate system administration or automated scripts that perform disk maintenance or manage USN journals as part of backup, migration, or advanced troubleshooting procedures. Always review the context, parent process, and user account to determine legitimacy.
Next Steps
When this rule is triggered, the following measures can be implemented:
- Identification: Identify if the flagged event is a new incident or part of an existing incident.
- Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
- Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
- Reconfiguration: Refine detection rules or allowlists for validated administrative use, update analytics for new tactics, and strengthen endpoint monitoring.
Mitigation
Mitigation ID | Mitigation Name | Mitigation description |
M1053 |
| Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery. |
M1032 | Multi-factor Authentication | Implement multi-factor authentication (MFA) delete for cloud storage resources, such as AWS S3 buckets, to prevent unauthorized deletion of critical data and infrastructure. MFA delete requires additional authentication steps, making it significantly more difficult for adversaries to destroy data without proper credentials. This additional security layer helps protect against the impact of data destruction in cloud environments by ensuring that only authenticated actions can irreversibly delete storage or machine images. |
M1018 |
| In cloud environments, limit permissions to modify cloud bucket lifecycle policies (e.g., PutLifecycleConfiguration in AWS) to only those accounts that require it. In AWS environments, consider using Service Control policies to limit the use of the PutBucketLifecycle API call. |
M1041 |
| Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary. |
M1029 |
| Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. |
M1022 |
| Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. |
