From 2759dd05658c42c981dabf0e363e4afbbd7ace71 Mon Sep 17 00:00:00 2001
From: Conor Richard <xenos@xenos-1.net>
Date: Sat, 17 Sep 2022 08:01:53 -0400
Subject: [PATCH] Adding USN deletion that @bohops mentioned in #148 notes

---
 yml/OSBinaries/fsutil.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/yml/OSBinaries/fsutil.yml b/yml/OSBinaries/fsutil.yml
index 0955c1f..8628ffc 100644
--- a/yml/OSBinaries/fsutil.yml
+++ b/yml/OSBinaries/fsutil.yml
@@ -11,6 +11,13 @@ Commands:
     Privileges: User
     MitreID: T1485
     OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+ - Command: fsutil.exe usn deletejournal /d c:
+    Description: Delete the USN journal volume to hide file creation activity
+    Usecase: Can be used to hide file creation activity
+    Category: Tamper
+    Privileges: User
+    MitreID: T1485
+    OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
 Full_Path:
   - Path: C:\Windows\System32\fsutil.exe
   - Path: C:\Windows\SysWOW64\fsutil.exe
@@ -20,3 +27,5 @@ Detection:
 Acknowledgement:
   - Person: Elliot Killick
     Handle: '@elliotkillick'
+  - Person: Jimmy
+    Handle: '@bohops'