Delete Volume USN Journal with fsutil¶
Identifies use of the fsutil command to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.
| id: | c91f422a-5214-4b17-8664-c5fcf115c0a2 |
|---|---|
| categories: | detect |
| confidence: | low |
| os: | windows |
| created: | 11/30/2018 |
| updated: | 11/30/2018 |
MITRE ATT&CK™ Mapping¶
| tactics: | Defense Evasion |
|---|---|
| techniques: | T1070 Indicator Removal on Host |
Query¶
process where subtype.create and
process_name == "fsutil.exe" and command_line == "* usn *" and command_line == "* deletejournal*"