title: Prefetch File Deletion
id: 0a1f9d29-6465-4776-b091-7f43b26e4c89
status: experimental
description: Detects the deletion of a prefetch file (AntiForensic)
level: high
author: Cedric MAURUGEON
date: 2021/09/29
modified: 2022/05/27
tags:
    - attack.defense_evasion
    - attack.t1070.004
logsource:
    product: windows
    category: file_delete
detection:
    selection:
        TargetFilename|startswith: 'C:\Windows\Prefetch\'
        TargetFilename|endswith: '.pf'
    exception:
        Image: 'C:\windows\system32\svchost.exe'
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
    condition: selection and not exception
falsepositives:
    - Unknown