Software Name: FSUTIL

Description: The ‘fsutil.exe’ is a Windows command-line utility that performs tasks that are related to
file allocation table (FAT) and NTFS file systems, such as managing reparse points, managing sparse files,
or dismounting a volume (https://docs.microsoft.com/en-us/windows-server/administration/windows-
commands/fsutil)

Adversaries typically use the ‘fsutil’ utility to discover connected drives, check available memory in the
particular drive, or cleans the USN journal.

Platform: Windows

Techniques:

System Information Discovery (T1082) – The ‘fsutil volume diskfree C:’ command is used to check
available free space in the particular drive.

Peripheral Device Discovery (T1120) – The ‘fsutil fsinfo drives’ command is used to check the list of
connected drives to the system.

Indicator Removal on Host: File Deletion (T1070.004) – The ‘fsutil usn deleteJournal’ can be used to
delete the update sequence number (USN) change journal, which inhibits recovery of files. The
command ‘fsutil file setzerodata’ can be used to delete file securely by overwriting data with all zeros.

Adversary Use:

G0016- APT29: APT29 used ‘fsutil volume diskfree C:’ command to check available free space before
executing actions that might create large files on disk.
(https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-
activation-from-sunburst-to-teardrop-and-raindrop/)

G0010- Turla: Turla has used ‘fsutil fsinfo drives’ command to list connected drives
(https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf)

G0114- Chimera: Chimera has used ‘fsutil fsinfo drives’ command to check the list of connected drives to
the system. (https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-
radar/)

S0368- NotPetya: NotPetya has cleaned file system log using the command ‘fsutil usn deletejournal /D
C:’. (https://www.crowdstrike.com/blog/petrwrap-ransomware-technical-analysis-triple-threat-file-
encryption-mft-encryption-credential-theft/)

S0342- GreyEnergy: The malware dropper deletes itself by overwriting the file with zeros and removing
the file from the disk and the dropper cleans the USN journal. The command used are ‘fsutil file
setzerodata offset=0 length=%DROPPER_FILESIZE% “%DROPPER_PATH%’ and ‘ fsutil usn
deletejournal /D %DROPPER_DRIVE%’.
(https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf)
BadRabbit: The ransomware used ‘fsutil usn deletejournal /D C:’ commands to delete the update
sequence number (USN) change journal.
(https://www.mcafee.com/blogs/other-blogs/mcafee-labs/badrabbit-ransomware-burrows-russia-
ukraine/)

RansomEXX (Defray777): The ransomware has used ‘C:\Windows\System32\fsutil.exe usn deletejournal

/D C:’ which in turn deletes the Update Sequence Number journal.
(https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3/)