splApache-2.0from splunk/security_content
USN Journal Deletion
The following analytic detects the deletion of the USN Journal using the fsutil.exe utility. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because the USN Journal maintains a log of all changes made to files on the disk, and its deletion can be an indicator of an attempt to cover tracks or hinder forensic investigations. If confirmed malicious, this action could allow an attacker to obscure their activities, making it difficult to trace file modifications and potentially compromising incident response efforts.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/usn_journal_deletion.yml
| tstats `security_content_summariesonly`
count values(Processes.process) as process
values(Processes.parent_process) as parent_process
min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
Processes.process_name=fsutil.exe
Processes.process = "*usn*"
Processes.process = "*deletejournal*"
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `usn_journal_deletion_filter`