Potentially Suspicious NTFS Symlink Behavior Modification

    Thursday, November 20, 2025 In: Threat Research Print

    Date: 11/20/2025

    Severity: Medium

    Summary

    Detects changes to NTFS symbolic link settings via fsutil, which may allow remote-to-local or remote-to-remote symlinks that could be abused in attacks.

    Indicators of Compromise (IOC) List

    Image : 

    '\cmd.exe'

    '\powershell.exe'

    '\pwsh.exe'

    Original Filename :

    'Cmd.Exe'

    'PowerShell.EXE'

    'pwsh.dll'

    Commandline : 

    'fsutil'

    'behavior'

    'set'

    'SymlinkEvaluation'

    'R2L:1' # Remote to Local

    'R2R:1' # Remote to Remote

    'L2L:1' # Local to Local

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    resourcename = "Windows Security" and eventtype = "4688" and processname IN ("cmd.exe", "powershell.exe", "pwsh.exe") AND originalfilename IN ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll") AND (commandline like "fsutil" and commandline like "behavior" and commandline like "set" and commandline like "SymlinkEvaluation") AND commandline IN ("R2L:1", "R2R:1","L2L:1")

    Detection Query 2 :

    technologygroup = "EDR" and processname IN ("cmd.exe", "powershell.exe", "pwsh.exe") AND originalfilename IN ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll") AND (commandline like "fsutil" and commandline like "behavior" and commandline like "set" and commandline like "SymlinkEvaluation") AND commandline IN ("R2L:1", "R2R:1","L2L:1")

    Reference:    

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml


    Tags

    SigmaNTFSFsutil

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.