.. / fsutil.exe
Star

Tamper

File System Utility

Paths:

C:\Windows\System32\fsutil.exe
C:\Windows\SysWOW64\fsutil.exe

Acknowledgements:

Elliot Killick (@elliotkillick)
Jimmy (@bohops)

Detection:

IOC: fsutil.exe should not be run on a normal workstation
IOC: file setZeroData (not case-sensitive) in the process arguments
Sigma: https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/process_creation/proc_creation_win_susp_fsutil_usage.yml

Tamper

Zero out a file

fsutil.exe file setZeroData offset=0 length=9999999999 C:\Windows\Temp\payload.dll

Usecase: Can be used to forensically erase a file
Privileges required: User
OS: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
MITRE ATT&CK®: T1485

Delete the USN journal volume to hide file creation activity

fsutil.exe usn deletejournal /d c:

Usecase: Can be used to hide file creation activity
Privileges required: User
OS: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
MITRE ATT&CK®: T1485

.. / fsutil.exe Star

Tamper

.. / fsutil.exe
Star