Create Fsutil.yml (#339)

This commit is contained in:
Grzegorz Tworek 2023-11-06 15:01:59 +01:00 committed by GitHub
parent abd4e989f4
commit 5b4d6d604c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

24
yml/OSBinaries/Fsutil.yml Normal file
View File

@ -0,0 +1,24 @@
---
Name: fsutil.exe
Description: Filesystem management utility
Author: gtworek
Created: 2023-11-04
Commands:
- Command: 'fsutil trace decode'
Description: Executes a pre-planted binary named netsh.exe from the current directory.
Usecase: Spawn a pre-planted executable from fsutil.exe.
Category: Execute
Privileges: User
MitreID: T1218
OperatingSystem: Windows 11
Full_Path:
- Path: C:\Windows\System32\fsutil.exe
Detection:
- IOC: Sysmon Event ID 1
- IOC: Execution of process fsutil.exe with trace decode could be suspicious
- IOC: Non-Windows netsh.exe execution
Resources:
- Link: https://twitter.com/0gtweet/status/1720724516324704404
Acknowledgement:
- Person: Grzegorz Tworek
Handle: '@0gtweet'