fsutil_deleting_journals.yml

asset_type: Endpoint
confidence: medium
creation_date: '2017-06-27'
data_metadata:
  data_models:
    - Endpoint
  data_source:
    - Endpoint Intel
  providing_technologies:
    - Carbon Black Response
    - CrowdStrike Falcon
    - Sysmon
    - Tanium
    - Ziften
description: The fsutil.exe application is a legitimate Windows utility used to perform
  tasks related to the file allocation table (FAT) and NTFS file systems. The update
  sequence number (USN) change journal provides a log of all changes made to the files
  on the disk. This search looks for fsutil.exe deleting the USN journal.
detect:
  splunk:
    correlation_rule:
      notable:
        nes_fields: dest, user, process_name
        rule_description: The system $dest$ deleted its NTFS journals.
        rule_title: File System Journal Deleted on $dest$
      risk:
        risk_object: dest
        risk_object_type:
          - system
        risk_score: 80
      schedule:
        cron_schedule: 0 * * * *
        earliest_time: -70m@m
        latest_time: -10m@m
      search: '| tstats `security_content_summariesonly` count values(Processes.process) as process
        values(Processes.parent_process) as parent_process min(_time) as firstTime
        max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fsutil.exe
        by Processes.user Processes.process_name Processes.parent_process_name Processes.dest  |
        `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |
        search process="*deletejournal*" AND process="*usn*"'
      suppress:
        suppress_fields: dest,user,process_name
        suppress_period: 14400s
eli5: This search looks for the execution of fsutil.exe with command-line arguments
  to delete the USN journal. The search returns the count of the number of times it's
  seen this process execution with these arguments, the first and last time it's seen
  this behavior, the hosts it was executed on, and the user context under which it
  was executed.
entities:
  - dest
how_to_implement: You must be ingesting data that records process activity from your
  hosts to populate the Endpoint data model in the Processes node. You must also be
  ingesting logs with both the process name and command line from your endpoints.
  The command-line arguments are mapped to the "process" field in the Endpoint data
  model.
id: b6e0ff70-b122-4227-9368-4cf322ab43c3
investigations:
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd76
    name: Get Authentication Logs For Endpoint
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd74
    name: Get User Information from Identity Table
    type: splunk
  - id: fecf2918-670d-4f1c-872b-3d7317a41bf9
    name: Get Parent Process Info
    type: splunk
  - id: fdcfb369-1725-4c24-824a-22972d7f0d55
    name: Get Risk Modifiers For User
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd71
    name: Get Process Info
    type: splunk
  - id: 3d6c3213-5fff-4a1e-b57d-b24c262171e7
    name: Get Notable History
    type: splunk
  - id: f3fb4d1b-5f33-4b01-b541-c7af9534c242
    name: Get Notable Info
    type: splunk
  - id: fdcfb369-1725-4c24-824a-22972d7f0d65
    name: Get Risk Modifiers For Endpoint
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd22
    name: Investigate Web Activity From Host
    type: splunk
known_false_positives: None identified
maintainers:
  - company: Splunk
    email: davidd@splunk.com
    name: David Dorsey
mappings:
  cis20:
    - CIS 6
    - CIS 8
    - CIS 10
  kill_chain_phases:
    - Actions on Objectives
  mitre_attack:
    - Defense Evasion
    - Indicator Removal on Host
  nist:
    - DE.CM
    - PR.PT
    - DE.AE
    - DE.DP
    - PR.IP
modification_date: '2018-12-03'
name: USN Journal Deletion
original_authors:
  - company: Splunk
    email: davidd@splunk.com
    name: David Dorsey
references: []
security_domain: endpoint
spec_version: 2
type: splunk
version: '2.0'