Fsutil.exe

File System Utility

Paths

• C:\Windows\System32\fsutil.exe
• C:\Windows\SysWOW64\fsutil.exe

Commands

Tamper

Zero out a file

Use case: Can be used to forensically erase a file

Privileges: User

fsutil.exe file setZeroData offset=0 length=9999999999 {PATH_ABSOLUTE}

Tamper

Delete the USN journal volume to hide file creation activity

Use case: Can be used to hide file creation activity

Privileges: User

fsutil.exe usn deletejournal /d c:

Execute

Executes a pre-planted binary named netsh.exe from the current directory.

Use case: Spawn a pre-planted executable from fsutil.exe.

Privileges: User

fsutil.exe trace decode

Detection

• IOC: fsutil.exe should not be run on a normal workstation
• IOC: file setZeroData (not case-sensitive) in the process arguments
• IOC: Sysmon Event ID 1
• IOC: Execution of process fsutil.exe with trace decode could be suspicious
• IOC: Non-Windows netsh.exe execution
• Sigma: https://github.com/SigmaHQ/sigma/blob/ff5102832031425f6eed011dd3a2e62653008c94/rules/windows/process_creation/proc_creation_win_susp_fsutil_usage.yml

Resources

• https://twitter.com/0gtweet/status/1720724516324704404