The deletion of a prefetch file may indicate an adversary is attempting to remove forensic evidence to obscure their presence or activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential evidence destruction and respond before further forensic data is lost.
Detection Rule
title: Prefetch File Deleted
id: 0a1f9d29-6465-4776-b091-7f43b26e4c89
status: test
description: Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence
references:
- Internal Research
- https://www.group-ib.com/blog/hunting-for-ttps-with-prefetch-files/
author: Cedric MAURUGEON
date: 2021-09-29
modified: 2024-01-25
tags:
- attack.defense-evasion
- attack.t1070.004
logsource:
product: windows
category: file_delete
detection:
selection:
TargetFilename|contains: ':\Windows\Prefetch\'
TargetFilename|endswith: '.pf'
filter_main_svchost:
Image|endswith: ':\windows\system32\svchost.exe'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
imFileEvent
| where (TargetFileName contains ":\\Windows\\Prefetch\\" and TargetFileName endswith ".pf") and (not((TargetFilePath endswith ":\\windows\\system32\\svchost.exe" and (ActorUsername contains "AUTHORI" or ActorUsername contains "AUTORI"))))Scenario: Scheduled System Maintenance Task Deletes Prefetch Files
Description: A legitimate system maintenance task (e.g., Windows Defragment and Optimize Drives or Disk Cleanup) may delete prefetch files as part of routine disk optimization.
Filter/Exclusion: Check for process names like dism.exe, cleanmgr.exe, or dism.exe in the event context, or filter by the task scheduler action name.
Scenario: Admin Performing Disk Cleanup via Command Line
Description: An administrator might manually delete prefetch files using del or rd commands in a command prompt or PowerShell session.
Filter/Exclusion: Filter events where the process name is cmd.exe or powershell.exe, and include a command line argument containing del or Remove-Item.
Scenario: Antivirus or Endpoint Protection Scanning Deletes Prefetch Files
Description: Security software (e.g., Microsoft Defender, Bitdefender, or Kaspersky) may delete prefetch files during a scan as part of its cleanup process.
Filter/Exclusion: Check for process names like MsMpEng.exe, bdagent.exe, or kavsvc.exe, or filter by the presence of a known antivirus product in the event data.
Scenario: User-Initiated File Deletion for System Optimization
Description: A user might delete prefetch files manually to free up disk space or improve system performance.
Filter/Exclusion: Filter by user account (e.g., Administrator, User1) or check for the presence of a known user-initiated deletion command in the command line.
Scenario: Log File Rotation or Archive Process Deletes Prefetch Files
Description: A log rotation tool (e.g., logrotate, Windows Event Log Cleanup) might inadvertently delete prefetch files during a