USN journal deletion
The fsutil.exe application is a legitimate Windows utility used to perform tasks related to the file allocation table (FAT) and NTFS file systems. The update sequence number (USN) change journal provides a log of all changes made to the files on the disk. This search looks for fsutil.exe deleting the USN journal, a technique used by attackers to eliminate evidence of files created during post-exploitation activities.
Data required
Procedure
- Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation. To run this search, your deployment needs to be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the Process field in the Endpoint data model.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
| tstats allow_old_summaries=true count, values("Processes.process") AS process, values("Processes.parent_process") AS parent_process, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE "Processes.process_name"=fsutil.exe BY "Processes.user", "Processes.process_name", "Processes.parent_process_name", "Processes.dest"
| rename "Processes.*" AS "*"
| search (process="*deletejournal*" process="*usn*")
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime)
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
| tstats allow_old_summaries=true count, values("Processes.process") AS process, values("Processes.parent_process") AS parent_process, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE "Processes.process_name"=fsutil.exe BY "Processes.user", "Processes.process_name", "Processes.parent_process_name", "Processes.dest" |
Query the Endpoint.Processes data model object to search for fsutil.exe processes. Sort first by user, then process name, parent process name, and destination. |
| rename "Processes.*" AS "*" |
Rename data model fields for better readability. |
| search (process="*deletejournal*" process="*usn*") |
Search for USN journal deletion. |
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) |
Convert these times into readable strings. |
Next steps
If you find evidence of a ransomware infection from this search, start your incident response process for dealing with a ransomware infection. You should check for recent backups for the systems affected by the infection.
Finally, you might be interested in other processes associated with the Detecting a ransomware attack use case.