LoFP / certain software or administrative tasks may trigger false positives.

Techniques

• t1120

Sample rules

Fsutil Drive Enumeration

• source: sigma
• technicques:
  • t1120

Description

Attackers may leverage fsutil to enumerated connected drives.

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains: drives
selection_img:
- Image|endswith: \fsutil.exe
- OriginalFileName: fsutil.exe