Ransomware hits healthcare - Clearing of system logs

Hunt Hypothesis

Adversaries may use fsutil.exe to clear system logs in a healthcare environment, erasing forensic evidence of ransomware activity. SOC teams should proactively hunt for this behavior to detect and respond to ransomware incidents before critical data is encrypted or exfiltrated.

KQL Query

DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "fsutil.exe"
and ProcessCommandLine has "usn" and ProcessCommandLine has "deletejournal"

Analytic Rule Definition

id: 24216c89-0e83-4b53-8eb7-3349e52c3703
name: Ransomware hits healthcare - Clearing of system logs
description: |
  // Look for attempts to use fsutil.exe to delete file system logs that can be used as forensic artifacts.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
query: |
  DeviceProcessEvents
  | where Timestamp > ago(7d)
  | where FileName =~ "fsutil.exe"
  and ProcessCommandLine has "usn" and ProcessCommandLine has "deletejournal"

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/Ransomware hits healthcare - Clearing of system logs.yaml)

False Positive Guidance

Scenario: System Maintenance Task Using fsutil.exe
Description: A legitimate system maintenance task or script uses fsutil.exe to clear or manage file system logs as part of routine disk cleanup or disk defragmentation.
Filter/Exclusion: Exclude processes initiated by Task Scheduler with a known maintenance task name, e.g., DiskDefrag or DiskCleanup.
Scenario: Admin Performing Log Clearing for Compliance
Description: An administrator manually clears system logs using fsutil.exe as part of a compliance or audit preparation process.
Filter/Exclusion: Exclude processes with the Administrators group or users with elevated privileges who have a documented log-clearing procedure.
Scenario: Scheduled Job for Log Rotation
Description: A scheduled job (e.g., via schtasks.exe) runs a script that uses fsutil.exe to rotate or clear logs as part of log management practices.
Filter/Exclusion: Exclude processes initiated by schtasks.exe with a known log rotation job name, such as LogRotationJob.
Scenario: Antivirus or Endpoint Protection Tool Interaction
Description: A legitimate endpoint protection tool (e.g., Microsoft Defender, CrowdStrike, or Palo Alto) uses fsutil.exe as part of its forensic or log management capabilities.
Filter/Exclusion: Exclude processes with the parent process being a known endpoint security tool or with a known tool signature.
Scenario: Database or Storage Management Tool Usage
Description: A database or storage management tool (e.g., SQL Server, VMware vSphere, or NetApp) uses fsutil.exe to manage or clear file system logs during maintenance or backup operations.
Filter/Exclusion: Exclude processes initiated by known storage or database management tools, or with a parent process matching those