title: Prefetch File Deletion
author: Cedric MAURUGEON
date: 2021/09/29
description: Detects the deletion of a prefetch file (AntiForensic)
detection:
  SELECTION_1:
    EventID: 23
  SELECTION_2:
    EventID: 26
  SELECTION_3:
    TargetFilename: C:\Windows\Prefetch\\*
  SELECTION_4:
    TargetFilename: '*.pf'
  SELECTION_5:
    Image: C:\windows\system32\svchost.exe
  SELECTION_6:
    User: NT AUTHORITY\SYSTEM
  condition: ((SELECTION_1 or SELECTION_2) and (SELECTION_3 and SELECTION_4) and  not
    (SELECTION_5 and SELECTION_6))
falsepositives:
- Unknown
id: 0a1f9d29-6465-4776-b091-7f43b26e4c89
level: high
logsource:
  category: file_delete
  product: windows
status: experimental
tags:
- attack.defense_evasion
- attack.t1070.004
ruletype: SIGMA