legitimate usage, investigate the parent process and context to determine if benign.

t1059
t1222
t1222.001
windows
sigma

Techniques

t1059
t1222
t1222.001

Sample rules

Potentially Suspicious NTFS Symlink Behavior Modification

source: sigma
technicques:
- t1059
- t1222
- t1222.001

Description

Detects the modification of NTFS symbolic link behavior using fsutil, which could be used to enable remote to local or remote to remote symlinks for potential attacks.

Detection logic

condition: all of selection_*
selection_fsutil_cli:
  CommandLine|contains|all:
  - fsutil
  - behavior
  - set
  - SymlinkEvaluation
selection_img_proxy:
- Image|endswith:
  - \cmd.exe
  - \powershell.exe
  - \pwsh.exe
- OriginalFileName:
  - Cmd.Exe
  - PowerShell.EXE
  - pwsh.dll
selection_symlink_params:
  CommandLine|contains:
  - R2L:1
  - R2R:1
  - L2L:1