mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-10-23 17:19:23 +02:00
25 lines
745 B
YAML
25 lines
745 B
YAML
---
|
|
Name: fsutil.exe
|
|
Description: Filesystem management utility
|
|
Author: gtworek
|
|
Created: 2023-11-04
|
|
Commands:
|
|
- Command: 'fsutil trace decode'
|
|
Description: Executes a pre-planted binary named netsh.exe from the current directory.
|
|
Usecase: Spawn a pre-planted executable from fsutil.exe.
|
|
Category: Execute
|
|
Privileges: User
|
|
MitreID: T1218
|
|
OperatingSystem: Windows 11
|
|
Full_Path:
|
|
- Path: C:\Windows\System32\fsutil.exe
|
|
Detection:
|
|
- IOC: Sysmon Event ID 1
|
|
- IOC: Execution of process fsutil.exe with trace decode could be suspicious
|
|
- IOC: Non-Windows netsh.exe execution
|
|
Resources:
|
|
- Link: https://twitter.com/0gtweet/status/1720724516324704404
|
|
Acknowledgement:
|
|
- Person: Grzegorz Tworek
|
|
Handle: '@0gtweet'
|