Detectionmediumtest
Potentially Suspicious NTFS Symlink Behavior Modification
Detects the modification of NTFS symbolic link behavior using fsutil, which could be used to enable remote to local or remote to remote symlinks for potential attacks.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
François Hubaut, The DFIR ReportCreated Wed Mar 02Updated Thu Nov 13c0b2768a-dd06-4671-8339-b16ca8d1f27fwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic3 selectors
detection:
selection_img_proxy:
# Note: Example command observed: cmd.exe /c "fsutil behaviour set SymlinkEvaluation"
- Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'Cmd.Exe'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_fsutil_cli:
CommandLine|contains|all:
- 'fsutil'
- 'behavior'
- 'set'
- 'SymlinkEvaluation'
selection_symlink_params:
CommandLine|contains:
- 'R2L:1' # Remote to Local
- 'R2R:1' # Remote to Remote
- 'L2L:1' # Local to Local
condition: all of selection_*False Positives
Legitimate usage, investigate the parent process and context to determine if benign.
MITRE ATT&CK
Other
attack.t1222.001
Rule Metadata
Rule ID
c0b2768a-dd06-4671-8339-b16ca8d1f27f
Status
test
Level
medium
Type
Detection
Created
Wed Mar 02
Modified
Thu Nov 13
Author
Path
rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml
Raw Tags
attack.executionattack.t1059attack.defense-evasionattack.t1222.001