Adding USN deletion that @bohops mentioned in #148 notes

This commit is contained in:
Conor Richard
2022-09-17 08:01:53 -04:00
committed by GitHub
parent e878c66e6f
commit 2759dd0565

View File

@@ -11,6 +11,13 @@ Commands:
Privileges: User
MitreID: T1485
OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: fsutil.exe usn deletejournal /d c:
Description: Delete the USN journal volume to hide file creation activity
Usecase: Can be used to hide file creation activity
Category: Tamper
Privileges: User
MitreID: T1485
OperatingSystem: Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path:
- Path: C:\Windows\System32\fsutil.exe
- Path: C:\Windows\SysWOW64\fsutil.exe
@@ -20,3 +27,5 @@ Detection:
Acknowledgement:
- Person: Elliot Killick
Handle: '@elliotkillick'
- Person: Jimmy
Handle: '@bohops'