Windows fsutil suspicious invocation

This rule is part of a beta feature. To learn more, contact Support.
windows

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1485-data-destruction

Goal

Detects suspicious usage of fsutil.exe to delete filesystem journals, create journals, or set zero data, which may indicate attempts to destroy forensic evidence.

Strategy

This rule monitors command line execution of fsutil.exe with specific arguments that could indicate anti-forensic activity. The detection focuses on commands such as deletejournal, createjournal, and setZeroData, which can be used to remove file system journals or destroy data. These operations are suspicious in most environments as they’re rarely used for legitimate administrative purposes and are commonly utilized by attackers to cover their tracks by removing forensic evidence or destroying data.

Triage & Response

  • Examine the full command line parameters to understand exactly what operation was performed using fsutil on {{host}}.
  • Verify if the action was authorized as part of legitimate system maintenance or administrative tasks.
  • Investigate the timeline of events before and after the fsutil execution to identify suspicious behavior that may be related.
  • Check if this activity corresponds with other data destruction patterns or anti-forensic techniques on the system.