{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/fsutil/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","windows","fsutil","usn journal"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers can use the \u003ccode\u003efsutil.exe\u003c/code\u003e utility to delete the volume USN Journal in Windows. The USN Journal tracks changes made to files and directories on a disk volume, including metadata for file creation, deletion, modification, and permission changes. Deleting this journal can hinder forensic analysis by removing evidence of file operations. This technique is used to cover tracks and evade detection after an initial compromise. This activity is often observed during the post-exploitation phase of an attack, where adversaries attempt to remove traces of their presence and actions on the compromised system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003efsutil.exe\u003c/code\u003e via command line.\u003c/li\u003e\n\u003cli\u003eThe command \u003ccode\u003efsutil usn deletejournal /D [volume]\u003c/code\u003e is used to delete the USN Journal on the specified volume.\u003c/li\u003e\n\u003cli\u003eThe operating system processes the command, removing the USN Journal.\u003c/li\u003e\n\u003cli\u003eSubsequent file system activity is no longer recorded in the USN Journal.\u003c/li\u003e\n\u003cli\u003eThe attacker performs further actions on the system, such as lateral movement or data exfiltration.\u003c/li\u003e\n\u003cli\u003eForensic analysis is hampered due to the missing USN Journal entries.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of the USN Journal impairs forensic investigations and incident response efforts. Without the USN Journal, analysts may struggle to determine the full scope of an intrusion, including files created, modified, or deleted by the attacker. This can lead to incomplete remediation and a higher risk of reinfection.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect USN Journal Deletion via Fsutil\u0026rdquo; to your SIEM to identify this specific behavior.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for \u003ccode\u003efsutil.exe\u003c/code\u003e with arguments related to \u0026ldquo;deletejournal\u0026rdquo; and \u0026ldquo;usn\u0026rdquo; to detect potential attempts to delete the USN Journal.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the execution of \u003ccode\u003efsutil.exe\u003c/code\u003e with the relevant arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-usn-journal-deletion/","summary":"Adversaries may delete the volume USN Journal on Windows systems using `fsutil.exe` to eliminate evidence of post-exploitation file activity.","title":"Windows USN Journal Deletion via Fsutil","url":"https://feed.craftedsignal.io/briefs/2024-01-usn-journal-deletion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["low"],"_cs_tags":["discovery","windows","fsutil"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers may leverage native operating system tools like \u003ccode\u003efsutil.exe\u003c/code\u003e to perform reconnaissance activities within a compromised environment. The \u003ccode\u003efsutil fsinfo drives\u003c/code\u003e command provides information about connected drives, including removable media, mapped network drives, and backup locations. Discovery of these devices can help adversaries identify valuable data stores for exfiltration or encryption as part of a broader attack campaign. This command can be run interactively or via automated scripts, making it a versatile tool for post-exploitation activities. Defenders should monitor for unusual execution of \u003ccode\u003efsutil\u003c/code\u003e with the \u003ccode\u003efsinfo drives\u003c/code\u003e arguments, particularly when executed by non-administrative users or from unusual locations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003efsutil.exe\u003c/code\u003e via command line or script.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efsutil\u003c/code\u003e command uses the \u003ccode\u003efsinfo\u003c/code\u003e subcommand.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efsinfo\u003c/code\u003e subcommand uses the \u003ccode\u003edrives\u003c/code\u003e argument to list connected drives.\u003c/li\u003e\n\u003cli\u003eThe system returns a list of attached drives and their types (e.g., local, network, removable).\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the output to identify potentially valuable targets.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to access identified drives.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or deploys ransomware on the identified drives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful discovery of peripheral devices can lead to the identification of backup locations, mapped network drives, and removable media containing sensitive information. This information enables attackers to expand their reach within the compromised environment and increase the potential for data theft, encryption, or destruction. The low severity reflects the fact that this activity on its own is simply reconnaissance; the actual damage comes from subsequent actions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect suspicious execution of \u003ccode\u003efsutil.exe\u003c/code\u003e (see below).\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to capture \u003ccode\u003efsutil\u003c/code\u003e executions (see setup instructions in the Overview).\u003c/li\u003e\n\u003cli\u003eInvestigate any process executions of \u003ccode\u003efsutil.exe\u003c/code\u003e where the parent process is unexpected or the user context is unusual (see Triage and Analysis).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-peripheral-device-discovery/","summary":"Adversaries may use the Windows file system utility, fsutil.exe, with the fsinfo drives command to enumerate attached peripheral devices and gain information about a compromised system.","title":"Windows Peripheral Device Discovery via fsutil","url":"https://feed.craftedsignal.io/briefs/2024-01-02-peripheral-device-discovery/"}],"language":"en","title":"CraftedSignal Threat Feed — Fsutil","version":"https://jsonfeed.org/version/1.1"}