Prefetch File Deleted

 1title: Prefetch File Deleted
 2id: 0a1f9d29-6465-4776-b091-7f43b26e4c89
 3status: test
 4description: Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence
 5references:
 6    - Internal Research
 7    - https://www.group-ib.com/blog/hunting-for-ttps-with-prefetch-files/
 8author: Cedric MAURUGEON
 9date: 2021/09/29
10modified: 2024/01/25
11tags:
12    - attack.defense_evasion
13    - attack.t1070.004
14logsource:
15    product: windows
16    category: file_delete
17detection:
18    selection:
19        TargetFilename|contains: ':\Windows\Prefetch\'
20        TargetFilename|endswith: '.pf'
21    filter_main_svchost:
22        Image|endswith: ':\windows\system32\svchost.exe'
23        User|contains: # covers many language settings
24            - 'AUTHORI'
25            - 'AUTORI'
26    condition: selection and not 1 of filter_main_*
27falsepositives:
28    - Unknown
29level: high

References

• Internal Research

  
  Read More

• https://www.group-ib.com/blog/hunting-for-ttps-with-prefetch-files/

  
  Read More

Related rules

• Directory Removal Via Rmdir
• ADS Zone.Identifier Deleted By Uncommon Application
• Greedy File Deletion Using Del
• Backup Catalog Deleted
• File Deleted Via Sysinternals SDelete