<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Anti-Forensics - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/anti-forensics/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 30 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/anti-forensics/feed.xml" rel="self" type="application/rss+xml"/><item><title>Windows USN Journal Deletion via fsutil.exe</title><link>https://feed.craftedsignal.io/briefs/2024-01-30-usn-journal-deletion/</link><pubDate>Tue, 30 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-30-usn-journal-deletion/</guid><description>Adversaries may delete the USN journal on Windows systems using `fsutil.exe` to remove evidence of file modifications and other activities, hindering forensic investigations and incident response.</description><content:encoded><![CDATA[<p>Attackers often attempt to cover their tracks after gaining access to a system. Deleting the USN Journal is one way to achieve this. The USN Journal, or Update Sequence Number Journal, is a feature in NTFS file systems that logs changes made to files and directories. This includes file creation, deletion, modifications, and permission changes. By deleting the USN Journal, attackers can remove a valuable source of forensic information that incident responders might use to reconstruct their actions. This brief focuses on the use of <code>fsutil.exe</code>, a legitimate Windows utility, to delete the USN Journal. While this activity alone is not necessarily indicative of compromise, it raises suspicion, especially when coupled with other anomalous behaviors.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to a Windows system (e.g., via compromised credentials or exploiting a vulnerability).</li>
<li>The attacker elevates privileges to gain administrative access.</li>
<li>The attacker uses <code>fsutil.exe</code> with the <code>deletejournal</code> and <code>usn</code> parameters to delete the USN Journal on a specific volume. For example: <code>fsutil usn deletejournal /D C:</code></li>
<li>The operating system processes the command, deleting the USN Journal metadata file for the specified volume.</li>
<li>The attacker continues post-exploitation activities, knowing that file system changes will not be recorded in the USN Journal.</li>
<li>The attacker may use other anti-forensic techniques to further conceal their activity, such as timestomping or file wiping.</li>
<li>The attacker achieves their final objective, such as data exfiltration, deploying ransomware, or establishing persistence.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful deletion of the USN Journal hinders forensic investigations by removing a key source of information about file system changes. While the provided source does not indicate specific victim counts or sectors targeted, the impact of this activity is a reduced ability to track attacker actions on a compromised system. Incident responders may struggle to identify the full scope of the breach, the files accessed or modified, and the timeline of events. This can increase the time and resources required for incident response and remediation.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Detect USN Journal Deletion via Fsutil</code> to your SIEM and tune for your environment to detect the use of <code>fsutil.exe</code> to delete the USN Journal.</li>
<li>Investigate any endpoint generating event ID 11 related to USN Journal deletion found in &quot;Windows Security Event Logs&quot;.</li>
<li>Correlate detections of USN journal deletion with other suspicious behaviors on the endpoint.</li>
<li>Consider using a host-based intrusion detection system (HIDS) or endpoint detection and response (EDR) solution to monitor file system activity and detect suspicious behavior that may indicate an attempt to evade detection.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>defense-evasion</category><category>anti-forensics</category><category>windows</category><category>fsutil</category></item></channel></rss>