Windows USN Journal Deletion via Fsutil

Attackers can use the fsutil.exe utility to delete the volume USN Journal in Windows. The USN Journal tracks changes made to files and directories on a disk volume, including metadata for file creation, deletion, modification, and permission changes. Deleting this journal can hinder forensic analysis by removing evidence of file operations. This technique is used to cover tracks and evade detection after an initial compromise. This activity is often observed during the post-exploitation phase of an attack, where adversaries attempt to remove traces of their presence and actions on the compromised system.

Attack Chain

1. An attacker gains initial access to a Windows system.
2. The attacker executes fsutil.exe via command line.
3. The command fsutil usn deletejournal /D [volume] is used to delete the USN Journal on the specified volume.
4. The operating system processes the command, removing the USN Journal.
5. Subsequent file system activity is no longer recorded in the USN Journal.
6. The attacker performs further actions on the system, such as lateral movement or data exfiltration.
7. Forensic analysis is hampered due to the missing USN Journal entries.

Impact

Successful deletion of the USN Journal impairs forensic investigations and incident response efforts. Without the USN Journal, analysts may struggle to determine the full scope of an intrusion, including files created, modified, or deleted by the attacker. This can lead to incomplete remediation and a higher risk of reinfection.

Recommendation

• Deploy the Sigma rule “Detect USN Journal Deletion via Fsutil” to your SIEM to identify this specific behavior.
• Monitor process execution events for fsutil.exe with arguments related to “deletejournal” and “usn” to detect potential attempts to delete the USN Journal.
• Enable Sysmon process creation logging to capture the execution of fsutil.exe with the relevant arguments.