KQL Search

This query is designed to detect potential malicious activity related to the deletion of Prefetch files on a Windows system, which is a common tactic used by ransomware operators to cover their tracks. Here's a simple breakdown of what the query does:

1. Data Source: It looks at the DeviceProcessEvents table, which contains records of processes that have been executed on devices.

2. Time Frame: It filters the data to include only events from the last 7 days.

3. Specific Activity: It searches for process command lines that include the keywords "del", "C:\Windows\Prefetch", and ".pf". This combination indicates an attempt to delete Prefetch files, which are used by Windows to speed up the launch of applications and can be used in forensic investigations to track recently executed programs.

4. Output: The query projects (or selects) specific columns to display in the results:

   • Timestamp: When the event occurred.
   • DeviceName: The name of the device where the event took place.
   • InitiatingProcessFileName: The name of the process that initiated the command.
   • FileName: The name of the file involved in the process event.
   • ProcessCommandLine: The full command line that was executed.
   • AccountName: The user account under which the process was run.
   • ReportId: An identifier for the report or event.

In summary, this query helps identify attempts to delete Prefetch files, which could indicate an effort to erase evidence of executed programs, potentially signaling malicious activity like ransomware operations.