Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Prefetch File Deleted

Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Cedric MAURUGEONCreated Wed Sep 29Updated Thu Jan 250a1f9d29-6465-4776-b091-7f43b26e4c89windows
Log Source
WindowsFile Delete
ProductWindows← raw: windows
CategoryFile Delete← raw: file_delete
Detection Logic
Detection Logic2 selectors
detection:
    selection:
        TargetFilename|contains: ':\Windows\Prefetch\'
        TargetFilename|endswith: '.pf'
    filter_main_svchost:
        Image|endswith: ':\windows\system32\svchost.exe'
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
    condition: selection and not 1 of filter_main_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
Internal Research
2
Resolving title…
group-ib.com
MITRE ATT&CK
Rule Metadata
Rule ID
0a1f9d29-6465-4776-b091-7f43b26e4c89
Status
test
Level
high
Type
Detection
Created
Wed Sep 29
Modified
Thu Jan 25
Author
Cedric MAURUGEON
Path
rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml
Raw Tags
attack.defense-evasionattack.t1070.004
View on GitHub