This analytic focuses on detecting the execution of the Windows built-in command-line utility `Fsutil.exe` with specific parameters related to symlink evaluation, namely `behavior`, `set`, and `SymlinkEvaluation`. Attackers may exploit this functionality to change the default behavior of how symbolic links are evaluated on Windows systems. Such alterations can lead to vulnerabilities, particularly allowing for remote directory traversal over SMB shares or bypassing security measures. In typical enterprise environments, modifications to symlink evaluation settings should be rare; hence, any instances of their alteration trigger alerts for further investigation. Leveraging various data sources such as Sysmon Event ID 1 and Windows Event Log Security 4688 ensures accurate detection of these events, pending comprehensive logging and proper implementation of the rules for detection.