Windows Peripheral Device Discovery via fsutil
Adversaries use the Windows file system utility `fsutil.exe` with the `fsinfo drives` argument to enumerate attached peripheral devices for reconnaissance and situational awareness after gaining initial access.
After gaining initial access to a Windows system, attackers often perform discovery activities to understand the environment and identify valuable targets. One technique involves using the built-in fsutil.exe utility to gather information about peripheral devices connected to the system. This includes identifying secondary drives used for backups, mapped network drives, and removable media. This information can help attackers locate sensitive data, identify backup locations, or find removable drives for data exfiltration. This activity is not inherently malicious but, when coupled with other suspicious behaviors, it indicates potential post-compromise reconnaissance activity. This activity has been observed across various sectors and is a common tactic used by both opportunistic and advanced threat actors.
Attack Chain
- Initial Access: The attacker gains initial access to a Windows system through methods such as phishing, exploiting vulnerabilities, or using compromised credentials.
- Execution: The attacker executes
fsutil.exewith thefsinfo drivesarguments via command line or other execution methods. - Discovery:
fsutil.exequeries the operating system for information about connected peripheral devices. - Data Collection: The attacker parses the output of the
fsutil fsinfo drivescommand to identify attached drives, including USB drives, network shares, and other removable media. - Target Identification: The attacker uses the information gathered to identify potential targets, such as backup drives, network shares containing sensitive data, or removable media for later exfiltration.
- Lateral Movement (Optional): Based on discovered information, the attacker may attempt to move laterally to other systems or network shares.
- Data Exfiltration (Optional): If sensitive data is located on the discovered drives, the attacker may attempt to exfiltrate the data.
Impact
Successful execution of peripheral device discovery provides attackers with valuable information about the compromised environment, enabling them to identify and target sensitive data, backup locations, or removable media. This can lead to data theft, system compromise, or further lateral movement within the network. While the direct impact of this technique is low, it significantly contributes to the success of subsequent malicious activities.
Recommendation
- Enable Sysmon process creation logging to detect the execution of
fsutil.exewith command-line arguments (see rules below). - Monitor Windows Security Event Logs for process creation events related to
fsutil.exe(Data Source: Windows Security Event Logs). - Deploy the Sigma rules in this brief to your SIEM and tune for your environment.
Detection coverage 2
Detect Peripheral Device Discovery via fsutil.exe
lowDetects the execution of fsutil.exe to enumerate drives connected to a Windows system.
Detect Peripheral Device Discovery via fsutil.exe (Original Filename)
lowDetects the execution of fsutil.exe renamed with `fsinfo drives` arguments connected to a Windows system.
Detection queries are available on the platform. Get full rules →