Detect Journal Clearing

Description

This use case looks for the fsutil process clearing the update sequence number (USN) change journal.


Use Case

Advanced Threat Detection

Category

Endpoint Compromise

Alert Volume

Low (?)

SPL Difficulty

Basic

Journey

Stage 3

MITRE ATT&CK Tactics

Defense Evasion

MITRE ATT&CK Techniques

Indicator Removal on Host

MITRE Threat Groups

APT28
APT29
APT32
APT38
APT41
Dragonfly 2.0
FIN5
FIN8

Kill Chain Phases

Actions on Objectives

Data Sources

Windows Security
Endpoint Detection and Response

   How to Implement

This use case requires Sysmon to be installed on the endpoints you wish to monitor and the Sysmon add-on installed on your forwarders and search heads.

   Known False Positives

None at the moment

   How To Respond

When this search fires, you will want to start your incident response process for dealing with a ransomware infection. You should verify with the system owner if this was an action taken on their part. You will want to investigate the parent process of fsutil and its activities as well.

   Help

Detect Journal Clearing Help

This use case looks for the fsutil process clearing the update sequence number (USN) change journal.

SPL for Detect Journal Clearing

Demo Data

First we load our basic demo data
Next we look for any instances of fsutil being launched (EventCode 1 indicates a process launch), and filter to make sure our suspicious fields re in the CommandLine string.
Then we put the data into a table because that's the easiest thing to use.

Live Data

First we load our Sysmon data (though any EDR / process launch data containing the command line string would suffice). We are looking for any instances of fsutil being launched (EventCode 1 indicates a process launch), and filtering to make sure our suspicious fields re in the CommandLine string.
Then we put the data into a table because that's the easiest thing to use.