heroui logo

USN Journal Deletion

Splunk Security Content

View Source
Summary
The rule detects the deletion of the USN Journal using the fsutil.exe command. This action is significant because the USN Journal, which logs changes to files on a disk, is crucial for forensic investigations. Deleting the journal may indicate malicious intent to cover tracks by obscuring file modifications. For detection, it leverages telemetry from Endpoint Detection and Response (EDR) agents, particularly focusing on process execution logs that capture command-line details. The associated Splunk searches look for specific command executions of fsutil.exe that involve keywords related to the USN journal, enabling security teams to identify potential nefarious activities in real-time.
Categories
  • Endpoint
  • Windows
Data Sources
  • Windows Registry
  • Process
ATT&CK Techniques
  • T1070
Created: 2024-11-13