{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/usn-journal/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","windows","fsutil","usn journal"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers can use the \u003ccode\u003efsutil.exe\u003c/code\u003e utility to delete the volume USN Journal in Windows. The USN Journal tracks changes made to files and directories on a disk volume, including metadata for file creation, deletion, modification, and permission changes. Deleting this journal can hinder forensic analysis by removing evidence of file operations. This technique is used to cover tracks and evade detection after an initial compromise. This activity is often observed during the post-exploitation phase of an attack, where adversaries attempt to remove traces of their presence and actions on the compromised system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003efsutil.exe\u003c/code\u003e via command line.\u003c/li\u003e\n\u003cli\u003eThe command \u003ccode\u003efsutil usn deletejournal /D [volume]\u003c/code\u003e is used to delete the USN Journal on the specified volume.\u003c/li\u003e\n\u003cli\u003eThe operating system processes the command, removing the USN Journal.\u003c/li\u003e\n\u003cli\u003eSubsequent file system activity is no longer recorded in the USN Journal.\u003c/li\u003e\n\u003cli\u003eThe attacker performs further actions on the system, such as lateral movement or data exfiltration.\u003c/li\u003e\n\u003cli\u003eForensic analysis is hampered due to the missing USN Journal entries.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful deletion of the USN Journal impairs forensic investigations and incident response efforts. Without the USN Journal, analysts may struggle to determine the full scope of an intrusion, including files created, modified, or deleted by the attacker. This can lead to incomplete remediation and a higher risk of reinfection.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect USN Journal Deletion via Fsutil\u0026rdquo; to your SIEM to identify this specific behavior.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for \u003ccode\u003efsutil.exe\u003c/code\u003e with arguments related to \u0026ldquo;deletejournal\u0026rdquo; and \u0026ldquo;usn\u0026rdquo; to detect potential attempts to delete the USN Journal.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the execution of \u003ccode\u003efsutil.exe\u003c/code\u003e with the relevant arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-usn-journal-deletion/","summary":"Adversaries may delete the volume USN Journal on Windows systems using `fsutil.exe` to eliminate evidence of post-exploitation file activity.","title":"Windows USN Journal Deletion via Fsutil","url":"https://feed.craftedsignal.io/briefs/2024-01-usn-journal-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed — Usn Journal","version":"https://jsonfeed.org/version/1.1"}