{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/anti-forensics/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","anti-forensics","windows","fsutil"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers often attempt to cover their tracks after gaining access to a system. Deleting the USN Journal is one way to achieve this. The USN Journal, or Update Sequence Number Journal, is a feature in NTFS file systems that logs changes made to files and directories. This includes file creation, deletion, modifications, and permission changes. By deleting the USN Journal, attackers can remove a valuable source of forensic information that incident responders might use to reconstruct their actions. This brief focuses on the use of \u003ccode\u003efsutil.exe\u003c/code\u003e, a legitimate Windows utility, to delete the USN Journal. While this activity alone is not necessarily indicative of compromise, it raises suspicion, especially when coupled with other anomalous behaviors.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., via compromised credentials or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to gain administrative access.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003efsutil.exe\u003c/code\u003e with the \u003ccode\u003edeletejournal\u003c/code\u003e and \u003ccode\u003eusn\u003c/code\u003e parameters to delete the USN Journal on a specific volume. For example: \u003ccode\u003efsutil usn deletejournal /D C:\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eThe operating system processes the command, deleting the USN Journal metadata file for the specified volume.\u003c/li\u003e\n\u003cli\u003eThe attacker continues post-exploitation activities, knowing that file system changes will not be recorded in the USN Journal.\u003c/li\u003e\n\u003cli\u003eThe attacker may use other anti-forensic techniques to further conceal their activity, such as timestomping or file wiping.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, deploying ransomware, or establishing persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of the USN Journal hinders forensic investigations by removing a key source of information about file system changes. While the provided source does not indicate specific victim counts or sectors targeted, the impact of this activity is a reduced ability to track attacker actions on a compromised system. Incident responders may struggle to identify the full scope of the breach, the files accessed or modified, and the timeline of events. This can increase the time and resources required for incident response and remediation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect USN Journal Deletion via Fsutil\u003c/code\u003e to your SIEM and tune for your environment to detect the use of \u003ccode\u003efsutil.exe\u003c/code\u003e to delete the USN Journal.\u003c/li\u003e\n\u003cli\u003eInvestigate any endpoint generating event ID 11 related to USN Journal deletion found in \u0026quot;Windows Security Event Logs\u0026quot;.\u003c/li\u003e\n\u003cli\u003eCorrelate detections of USN journal deletion with other suspicious behaviors on the endpoint.\u003c/li\u003e\n\u003cli\u003eConsider using a host-based intrusion detection system (HIDS) or endpoint detection and response (EDR) solution to monitor file system activity and detect suspicious behavior that may indicate an attempt to evade detection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-30-usn-journal-deletion/","summary":"Adversaries may delete the USN journal on Windows systems using `fsutil.exe` to remove evidence of file modifications and other activities, hindering forensic investigations and incident response.","title":"Windows USN Journal Deletion via fsutil.exe","url":"https://feed.craftedsignal.io/briefs/2024-01-30-usn-journal-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed - Anti-Forensics","version":"https://jsonfeed.org/version/1.1"}