.. /Fsutil.exe
Star

File System Utility

Paths:

C:\Windows\System32\fsutil.exe
C:\Windows\SysWOW64\fsutil.exe

Resources:

https://twitter.com/0gtweet/status/1720724516324704404

Acknowledgements:

Elliot Killick (@elliotkillick)
Jimmy (@bohops)
Grzegorz Tworek (@0gtweet)

Detection:

IOC: fsutil.exe should not be run on a normal workstation
IOC: file setZeroData (not case-sensitive) in the process arguments
IOC: Sysmon Event ID 1
IOC: Execution of process fsutil.exe with trace decode could be suspicious
IOC: Non-Windows netsh.exe execution
Sigma: https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/process_creation/proc_creation_win_susp_fsutil_usage.yml

Tamper

Zero out a file

fsutil.exe file setZeroData offset=0 length=9999999999 C:\Windows\Temp\payload.dll

Usecase: Can be used to forensically erase a file
Privileges required: User
OS: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
MITRE ATT&CK®: T1485

Delete the USN journal volume to hide file creation activity

fsutil.exe usn deletejournal /d c:

Usecase: Can be used to hide file creation activity
Privileges required: User
OS: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
MITRE ATT&CK®: T1485

Execute

Executes a pre-planted binary named netsh.exe from the current directory.

fsutil.exe trace decode

Usecase: Spawn a pre-planted executable from fsutil.exe.
Privileges required: User
OS: Windows 11
MITRE ATT&CK®: T1218

.. /Fsutil.exe Star

Tamper

Execute

.. /Fsutil.exe
Star