From 5b4d6d604c0bb2943a4dd54455f9b2fe486e437d Mon Sep 17 00:00:00 2001
From: Grzegorz Tworek <gtworek@users.noreply.github.com>
Date: Mon, 6 Nov 2023 15:01:59 +0100
Subject: [PATCH] Create Fsutil.yml (#339)

---
 yml/OSBinaries/Fsutil.yml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 yml/OSBinaries/Fsutil.yml

diff --git a/yml/OSBinaries/Fsutil.yml b/yml/OSBinaries/Fsutil.yml
new file mode 100644
index 0000000..f7d1d71
--- /dev/null
+++ b/yml/OSBinaries/Fsutil.yml
@@ -0,0 +1,24 @@
+---
+Name: fsutil.exe
+Description: Filesystem management utility
+Author: gtworek
+Created: 2023-11-04
+Commands:
+  - Command: 'fsutil trace decode'
+    Description: Executes a pre-planted binary named netsh.exe from the current directory.
+    Usecase: Spawn a pre-planted executable from fsutil.exe.
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    OperatingSystem: Windows 11
+Full_Path:
+  - Path: C:\Windows\System32\fsutil.exe
+Detection:
+  - IOC: Sysmon Event ID 1
+  - IOC: Execution of process fsutil.exe with trace decode could be suspicious
+  - IOC: Non-Windows netsh.exe execution
+Resources:
+  - Link: https://twitter.com/0gtweet/status/1720724516324704404
+Acknowledgement:
+  - Person: Grzegorz Tworek
+    Handle: '@0gtweet'