Delete Volume USN Journal with fsutil

Identifies use of the fsutil command to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.

id:c91f422a-5214-4b17-8664-c5fcf115c0a2
categories:detect
confidence:low
os:windows
created:11/30/2018
updated:11/30/2018

MITRE ATT&CK™ Mapping

tactics:Defense Evasion
techniques:T1070 Indicator Removal on Host

Query

process where subtype.create and
    process_name == "fsutil.exe" and command_line == "* usn *" and command_line == "* deletejournal*"

Contributors