https://feed.craftedsignal.io/tags/fsutil/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-usn-journal-deletion/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-usn-journal-deletion/Adversaries may delete the volume USN Journal on Windows systems using `fsutil.exe` to eliminate evidence of post-exploitation file activity.Attackers can use the fsutil.exe utility to delete the volume USN Journal in Windows. The USN Journal tracks changes made to files and directories on a disk volume, including metadata for file creation, deletion, modification, and permission changes. Deleting this journal can hinder forensic analysis by removing evidence of file operations. This technique is used to cover tracks and evade detection after an initial compromise. This activity is often observed during the post-exploitation phase of an attack, where adversaries attempt to remove traces of their presence and actions on the compromised system.

Attack Chain

1. An attacker gains initial access to a Windows system.
2. The attacker executes fsutil.exe via command line.
3. The command fsutil usn deletejournal /D [volume] is used to delete the USN Journal on the specified volume.
4. The operating system processes the command, removing the USN Journal.
5. Subsequent file system activity is no longer recorded in the USN Journal.
6. The attacker performs further actions on the system, such as lateral movement or data exfiltration.
7. Forensic analysis is hampered due to the missing USN Journal entries.

Impact

Successful deletion of the USN Journal impairs forensic investigations and incident response efforts. Without the USN Journal, analysts may struggle to determine the full scope of an intrusion, including files created, modified, or deleted by the attacker. This can lead to incomplete remediation and a higher risk of reinfection.

Recommendation

• Deploy the Sigma rule “Detect USN Journal Deletion via Fsutil” to your SIEM to identify this specific behavior.
• Monitor process execution events for fsutil.exe with arguments related to “deletejournal” and “usn” to detect potential attempts to delete the USN Journal.
• Enable Sysmon process creation logging to capture the execution of fsutil.exe with the relevant arguments.

]]>lowadvisorydefense-evasionwindowsfsutilusn journalhttps://feed.craftedsignal.io/briefs/2024-01-02-peripheral-device-discovery/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-02-peripheral-device-discovery/Adversaries may use the Windows file system utility, fsutil.exe, with the fsinfo drives command to enumerate attached peripheral devices and gain information about a compromised system.Attackers may leverage native operating system tools like fsutil.exe to perform reconnaissance activities within a compromised environment. The fsutil fsinfo drives command provides information about connected drives, including removable media, mapped network drives, and backup locations. Discovery of these devices can help adversaries identify valuable data stores for exfiltration or encryption as part of a broader attack campaign. This command can be run interactively or via automated scripts, making it a versatile tool for post-exploitation activities. Defenders should monitor for unusual execution of fsutil with the fsinfo drives arguments, particularly when executed by non-administrative users or from unusual locations.

Attack Chain

1. An attacker gains initial access to a Windows system (e.g., through phishing or exploiting a vulnerability).
2. The attacker executes fsutil.exe via command line or script.
3. The fsutil command uses the fsinfo subcommand.
4. The fsinfo subcommand uses the drives argument to list connected drives.
5. The system returns a list of attached drives and their types (e.g., local, network, removable).
6. The attacker analyzes the output to identify potentially valuable targets.
7. The attacker moves laterally to access identified drives.
8. The attacker exfiltrates sensitive data or deploys ransomware on the identified drives.

Impact

Successful discovery of peripheral devices can lead to the identification of backup locations, mapped network drives, and removable media containing sensitive information. This information enables attackers to expand their reach within the compromised environment and increase the potential for data theft, encryption, or destruction. The low severity reflects the fact that this activity on its own is simply reconnaissance; the actual damage comes from subsequent actions.

Recommendation

• Deploy the Sigma rules provided in this brief to your SIEM to detect suspicious execution of fsutil.exe (see below).
• Enable process creation logging with command line arguments to capture fsutil executions (see setup instructions in the Overview).
• Investigate any process executions of fsutil.exe where the parent process is unexpected or the user context is unusual (see Triage and Analysis).

]]>lowadvisorydiscoverywindowsfsutil