edge cases may exist in environments where this command is used for legitimate purposes. however, such usage is expected to be uncommon. it is recommended to investigate any occurrences of this command, and apply filters as necessary.

Techniques

T1222.001

Sample rules

Windows Symlink Evaluation Change via Fsutil

source: splunk
technicques:
- T1222.001

Description

This analytic detects the execution of the Windows built-in tool Fsutil.exe with the “behavior”, “set” and “SymlinkEvaluation” parameters. Attackers can abuse this to alter symlink evaluation behavior on Windows, potentially enabling remote traversal over SMB shares or evading defenses. Such changes should be uncommon or even rare in enterprise environments and should be investigated.

Detection logic


| tstats `security_content_summariesonly`
    count min(_time) as firstTime max(_time) as lastTime
  from datamodel=Endpoint.Processes where 
  
  (
    Processes.process_name="fsutil.exe"
    OR Processes.original_file_name="fsutil.exe"
  )

  Processes.process="*behavior*"
  Processes.process="*set*"
  Processes.process="*SymlinkEvaluation*"
  
  by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
  Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
  Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
  Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
  Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product


| `drop_dm_object_name(Processes)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_symlink_evaluation_change_via_fsutil_filter`