USN, or Update Sequence Number, is a vital component of the NTFS file system in Windows. The USN Journal is essentially a change journal feature that meticulously logs alterations to files and directories on an NTFS volume
.\MFTECmd.exe -f 'C:\path\to\target' --csv C:\path\to\output --csvf MFT-J.csv
python usn.py $J > usn.csv
Hunt
- Rename chains
- Create → execute → delete flow
- High-frequency modifications
Red Flags
- Multiple renames before execution
- Rapid dropper activity
Correlate
- MFT
- Prefetch
- Security 4688