Prefetch File Deleted

Aug 12, 2024 · attack.defense-evasion attack.t1070.004 ·

Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence

Sigma rule (View on GitHub)

 1title: Prefetch File Deleted
 2id: 0a1f9d29-6465-4776-b091-7f43b26e4c89
 3status: test
 4description: Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence
 5references:
 6    - Internal Research
 7    - https://www.group-ib.com/blog/hunting-for-ttps-with-prefetch-files/
 8author: Cedric MAURUGEON
 9date: 2021-09-29
10modified: 2024-01-25
11tags:
12    - attack.defense-evasion
13    - attack.t1070.004
14logsource:
15    product: windows
16    category: file_delete
17detection:
18    selection:
19        TargetFilename|contains: ':\Windows\Prefetch\'
20        TargetFilename|endswith: '.pf'
21    filter_main_svchost:
22        Image|endswith: ':\windows\system32\svchost.exe'
23        User|contains: # covers many language settings
24            - 'AUTHORI'
25            - 'AUTORI'
26    condition: selection and not 1 of filter_main_*
27falsepositives:
28    - Unknown
29level: high

Prefetch File Deleted

Sigma rule (View on GitHub)

References

Internal Research

https://www.group-ib.com/blog/hunting-for-ttps-with-prefetch-files/

Related rules