feat: ✨ Add more sigma rule

frack113 · May 12, 2024 · e3f3c3d · e3f3c3d
1 parent 3b928a1
commit e3f3c3d
Show file tree

Hide file tree

Showing 10 changed files with 67 additions and 14 deletions.
diff --git a/Full_tests.csv b/Full_tests.csv
@@ -1585,7 +1585,7 @@ discovery;T1033;powershell;['windows'];Find computers where user has session - S
 discovery;T1033;powershell;['windows'];User Discovery With Env Vars PowerShell Script;dcb6cdee-1fb0-4087-8bf8-88cfd136ba51;True;4
 discovery;T1033;powershell;['windows'];GetCurrent User with PowerShell Script;1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b;True;5
 discovery;T1033;powershell;['windows'];System Discovery - SocGholish whoami;3d257a03-eb80-41c5-b744-bb37ac7f65c7;True;6
-discovery;T1033;command_prompt;['windows'];System Owner/User Discovery Using Command Prompt;ba38e193-37a6-4c41-b214-61b33277fe36;False;7
+discovery;T1033;command_prompt;['windows'];System Owner/User Discovery Using Command Prompt;ba38e193-37a6-4c41-b214-61b33277fe36;True;7
 discovery;T1613;sh;['containers'];Docker Container and Resource Discovery;ea2255df-d781-493b-9693-ac328f9afc3f;False;1
 discovery;T1613;sh;['containers'];Podman Container and Resource Discovery;fc631702-3f03-4f2b-8d8a-6b3d055580a1;False;2
 discovery;T1615;command_prompt;['windows'];Display group policy information via gpresult;0976990f-53b1-4d3f-a185-6df5be429d3b;True;1
@@ -1677,6 +1677,7 @@ discovery;T1135;powershell;['windows'];PowerView ShareFinder;d07e4cc1-98ae-447e-
 discovery;T1135;powershell;['windows'];WinPwn - shareenumeration;987901d1-5b87-4558-a6d9-cffcabc638b8;True;9
 discovery;T1135;command_prompt;['windows'];Network Share Discovery via dir command;13daa2cf-195a-43df-a8bd-7dd5ffb607b5;False;10
 discovery;T1135;powershell;['windows'];Enumerate All Network Shares with SharpShares;d1fa2a69-b0a2-4e8a-9112-529b00c19a41;False;11
+discovery;T1135;powershell;['windows'];Enumerate All Network Shares with Snaffler;b19d74b7-5e72-450a-8499-82e49e379d1a;False;12
 discovery;T1120;powershell;['windows'];Win32_PnPEntity Hardware Inventory;2cb4dbf2-2dca-4597-8678-4d39d207a3a5;True;1
 discovery;T1120;powershell;['windows'];WinPwn - printercheck;cb6e76ca-861e-4a7f-be08-564caa3e6f75;True;2
 discovery;T1120;command_prompt;['windows'];Peripheral Device Discovery via fsutil;424e18fd-48b8-4201-8d3a-bf591523a686;False;3
@@ -1762,6 +1763,7 @@ discovery;T1057;powershell;['windows'];Process Discovery - Get-Process;3b3809b6-
 discovery;T1057;powershell;['windows'];Process Discovery - get-wmiObject;b51239b4-0129-474f-a2b4-70f855b9f2c2;False;4
 discovery;T1057;command_prompt;['windows'];Process Discovery - wmic process;640cbf6d-659b-498b-ba53-f6dd1a1cc02c;True;5
 discovery;T1057;command_prompt;['windows'];Discover Specific Process - tasklist;11ba69ee-902e-4a0f-b3b6-418aed7d7ddb;False;6
+discovery;T1057;powershell;['windows'];Process Discovery - Process Hacker;966f4c16-1925-4d9b-8ce0-01334ee0867d;False;7
 discovery;T1069.001;sh;['linux', 'macos'];Permission Groups Discovery (Local);952931a4-af0b-4335-bbbe-73c8c5b327ae;False;1
 discovery;T1069.001;command_prompt;['windows'];Basic Permission Groups Discovery Windows (Local);1f454dd6-e134-44df-bebb-67de70fb6cd8;True;2
 discovery;T1069.001;powershell;['windows'];Permission Groups Discovery PowerShell (Local);a580462d-2c19-4bc7-8b9a-57a41b7d3ba4;True;3
@@ -1820,7 +1822,7 @@ discovery;T1018;powershell;['windows'];Enumerate domain computers within Active
 discovery;T1018;powershell;['windows'];Enumerate Active Directory Computers with Get-AdComputer;97e89d9e-e3f5-41b5-a90f-1e0825df0fdf;True;17
 discovery;T1018;powershell;['windows'];Enumerate Active Directory Computers with ADSISearcher;64ede6ac-b57a-41c2-a7d1-32c6cd35397d;True;18
 discovery;T1018;powershell;['windows'];Get-DomainController with PowerView;b9d2e8ca-5520-4737-8076-4f08913da2c4;True;19
-discovery;T1018;powershell;['windows'];Get-WmiObject to Enumerate Domain Controllers;e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad;False;20
+discovery;T1018;powershell;['windows'];Get-WmiObject to Enumerate Domain Controllers;e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad;True;20
 discovery;T1018;command_prompt;['windows'];Remote System Discovery - net group Domain Controller;5843529a-5056-4bc1-9c13-a311e2af4ca0;True;21
 discovery;T1046;bash;['linux', 'macos'];Port Scan;68e907da-2539-48f6-9fc9-257a78c05540;False;1
 discovery;T1046;sh;['linux', 'macos'];Port Scan Nmap;515942b0-a09f-4163-a7bb-22fefb6f185f;True;2

diff --git a/missing_tests.csv b/missing_tests.csv
@@ -105,7 +105,7 @@ discovery;T1087.004;kubernetes_audit_rbac_permisions_listing.yml,azure_ad_azureh
 resource-development;T1587.001;win_exchange_proxylogon_oabvirtualdir.yml,file_event_win_office_uncommon_file_startup.yml,file_event_win_vhd_download_via_browsers.yml,proc_creation_win_pua_csexec.yml,proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml,proc_creation_win_sysinternals_psexec_remote_execution.yml,proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml,proc_creation_win_malware_formbook.yml,proc_creation_win_apt_mustangpanda.yml,proc_creation_win_malware_conti.yml,file_event_win_susp_binary_dropper.yml
 resource-development;T1586.003;okta_suspicious_activity_enduser_report.yml
 resource-development;T1588.001;lnx_clamav_relevant_message.yml
-resource-development;T1584;lnx_auditd_susp_exe_folders.yml,proxy_webdav_search_ms.yml,win_system_susp_system_update_error.yml,file_event_win_webdav_tmpfile_creation.yml
+resource-development;T1584;lnx_auditd_susp_exe_folders.yml,proxy_webdav_external_execution.yml,win_system_susp_system_update_error.yml,file_event_win_webdav_tmpfile_creation.yml
 resource-development;T1586;bitbucket_audit_unauthorized_access_detected.yml,bitbucket_audit_unauthorized_full_data_export_triggered.yml
 resource-development;T1608;proc_creation_win_susp_download_office_domain.yml,registry_event_hybridconnectionmgr_svc_installation.yml
 resource-development;T1588.002;proc_creation_win_hktl_execution_via_imphashes.yml,proc_creation_win_hktl_execution_via_pe_metadata.yml,proc_creation_win_renamed_sysinternals_debugview.yml,proc_creation_win_sysinternals_eula_accepted.yml,registry_add_pua_sysinternals_execution_via_eula.yml,registry_add_pua_sysinternals_renamed_execution_via_eula.yml,registry_add_pua_sysinternals_susp_execution_via_eula.yml,registry_set_renamed_sysinternals_eula_accepted.yml,registry_set_susp_keyboard_layout_load.yml
@@ -133,7 +133,7 @@ initial-access;T1195.001;github_disabled_outdated_dependency_or_vulnerability.ym
 initial-access;T1566.002;proc_creation_macos_susp_execution_macos_script_editor.yml
 initial-access;T1190;appframework_django_exceptions.yml,java_jndi_injection_exploitation_attempt.yml,java_local_file_read.yml,java_ognl_injection_exploitation_attempt.yml,java_rce_exploitation_attempt.yml,java_xxe_exploitation_attempt.yml,nodejs_rce_exploitation_attempt.yml,opencanary_ftp_login_attempt.yml,opencanary_http_get.yml,opencanary_http_post_login_attempt.yml,app_python_sql_exceptions.yml,appframework_ruby_on_rails_exceptions.yml,spring_application_exceptions.yml,spring_spel_injection.yml,app_sqlinjection_errors.yml,velocity_ssti_injection.yml,db_anomalous_query.yml,lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml,lnx_sshd_susp_ssh.yml,lnx_syslog_susp_named.yml,lnx_vsftpd_susp_error_messages.yml,proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml,proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml,proc_creation_lnx_omigod_scx_runasprovider_executescript.yml,proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml,net_dns_external_service_interaction_domains.yml,zeek_http_omigod_no_auth_rce.yml,web_apache_threading_error.yml,proxy_f5_tm_utility_bash_api_request.yml,proxy_ua_hacktool.yml,web_f5_tm_utility_bash_api_request.yml,web_iis_tilt_shortname_scan.yml,web_java_payload_in_access_logs.yml,web_jndi_exploit.yml,web_path_traversal_exploitation_attempt.yml,web_sql_injection_in_access_logs.yml,web_susp_useragents.yml,win_security_susp_failed_logon_source.yml,file_event_win_exchange_webshell_drop_suspicious.yml,file_event_win_susp_exchange_aspx_write.yml,proc_creation_win_mssql_susp_child_process.yml,proc_creation_win_remote_access_tools_screenconnect_webshell.yml,proc_creation_win_svchost_termserv_proc_spawn.yml,proc_creation_win_webshell_susp_process_spawned_from_webserver.yml,proc_creation_win_winrm_susp_child_process.yml,web_cve_2010_5278_exploitation_attempt.yml,web_cve_2014_6287_hfs_rce.yml,web_cve_2018_13379_fortinet_preauth_read_exploit.yml,web_cve_2018_2894_weblogic_exploit.yml,web_cve_2019_11510_pulsesecure_exploit.yml,web_cve_2019_19781_citrix_exploit.yml,web_cve_2019_3398_confluence.yml,web_cve_2020_0688_exchange_exploit.yml,web_cve_2020_0688_msexchange.yml,win_vul_cve_2020_0688.yml,web_cve_2020_10148_solarwinds_exploit.yml,proc_creation_win_exploit_cve_2020_10189.yml,proc_creation_win_exploit_cve_2020_1350.yml,web_cve_2020_14882_weblogic_exploit.yml,web_cve_2020_28188_terramaster_rce_exploit.yml,web_cve_2020_3452_cisco_asa_ftd.yml,web_cve_2020_5902_f5_bigip.yml,web_cve_2020_8193_8195_citrix_exploit.yml,web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml,web_cve_2021_2109_weblogic_rce_exploit.yml,web_cve_2021_21972_vsphere_unauth_rce_exploit.yml,web_cve_2021_21978_vmware_view_planner_exploit.yml,web_cve_2021_22005_vmware_file_upload.yml,web_cve_2021_22123_fortinet_exploit.yml,web_cve_2021_22893_pulse_secure_rce_exploit.yml,proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml,web_cve_2021_26084_confluence_rce_exploit.yml,web_cve_2021_26814_wzuh_rce.yml,web_cve_2021_26858_iis_rce.yml,web_cve_2021_27905_apache_solr_exploit.yml,web_cve_2021_28480_exchange_exploit.yml,web_cve_2021_33766_msexchange_proxytoken.yml,web_cve_2021_40539_adselfservice.yml,web_cve_2021_40539_manageengine_adselfservice_exploit.yml,win_vul_cve_2021_41379.yml,web_cve_2021_41773_apache_path_traversal.yml,web_cve_2021_42237_sitecore_report_ashx.yml,web_cve_2021_43798_grafana.yml,web_cve_2021_44228_log4j.yml,web_cve_2021_44228_log4j_fields.yml,web_exchange_proxyshell.yml,web_sonicwall_jarrewrite_exploit.yml,web_exchange_exploitation_hafnium.yml,web_cve_2022_21587_oracle_ebs.yml,proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml,web_cve_2022_27925_exploit.yml,web_cve_2022_31656_auth_bypass.yml,web_cve_2022_31659_vmware_rce.yml,web_cve_2022_33891_spark_shell_command_injection.yml,web_cve_2022_36804_atlassian_bitbucket_command_injection.yml,proxy_cve_2022_36804_exchange_owassrf_exploitation.yml,proxy_cve_2022_36804_exchange_owassrf_poc_exploitation.yml,web_cve_2022_36804_exchange_owassrf_exploitation.yml,web_cve_2022_36804_exchange_owassrf_poc_exploitation.yml,web_cve_2022_44877_exploitation_attempt.yml,web_cve_2022_46169_cacti_exploitation_attempt.yml,proc_creation_lnx_exploit_cve_2023_22518_confluence_java_child_proc.yml,proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml,proxy_exploit_cve_2023_22518_confluence_auth_bypass.yml,web_exploit_cve_2023_22518_confluence_auth_bypass.yml,lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml,web_cve_2023_23752_joomla_exploit_attempt.yml,web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml,web_cve_2023_27997_pre_authentication_rce.yml,file_event_win_exploit_cve_2023_34362_moveit_transfer.yml,proxy_exploit_cve_2023_43261_milesight_information_disclosure.yml,web_exploit_cve_2023_43261_milesight_information_disclosure.yml,proxy_cve_2023_46747_f5_remote_code_execution.yml,web_cve_2023_46747_f5_remote_code_execution.yml,proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml,proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml,web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml,web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml,proc_creation_win_exploit_other_win_server_undocumented_rce.yml
 initial-access;T1199;microsoft365_user_restricted_from_sending_email.yml
-initial-access;T1566;okta_fastpass_phishing_detection.yml,proc_creation_macos_susp_execution_macos_script_editor.yml,proxy_download_susp_tlds_blacklist.yml,proxy_download_susp_tlds_whitelist.yml,proxy_webdav_search_ms.yml,file_event_win_initial_access_dll_search_order_hijacking.yml,proc_creation_win_hh_html_help_susp_child_process.yml,proc_creation_win_hh_susp_execution.yml,proc_creation_win_office_onenote_susp_child_processes.yml,proc_creation_win_susp_archiver_iso_phishing.yml,file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml,registry_set_cve_2021_31979_cve_2021_33771_exploits.yml,file_event_win_webdav_tmpfile_creation.yml
+initial-access;T1566;okta_fastpass_phishing_detection.yml,proc_creation_macos_susp_execution_macos_script_editor.yml,proxy_download_susp_tlds_blacklist.yml,proxy_download_susp_tlds_whitelist.yml,proxy_webdav_external_execution.yml,file_event_win_initial_access_dll_search_order_hijacking.yml,proc_creation_win_hh_html_help_susp_child_process.yml,proc_creation_win_hh_susp_execution.yml,proc_creation_win_office_onenote_susp_child_processes.yml,proc_creation_win_susp_archiver_iso_phishing.yml,file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml,registry_set_cve_2021_31979_cve_2021_33771_exploits.yml,file_event_win_webdav_tmpfile_creation.yml
 initial-access;T1078;opencanary_ssh_login_attempt.yml,opencanary_ssh_new_connection.yml,opencanary_telnet_login_attempt.yml,aws_susp_saml_activity.yml,azure_ad_user_added_to_admin_role.yml,azure_kubernetes_admission_controller.yml,azure_ad_account_created_deleted.yml,azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml,azure_federation_modified.yml,azure_pim_alerts_disabled.yml,azure_subscription_permissions_elevation_via_auditlogs.yml,azure_identity_protection_anonymous_ip_activity.yml,azure_identity_protection_atypical_travel.yml,azure_identity_protection_impossible_travel.yml,azure_identity_protection_new_coutry_region.yml,azure_identity_protection_suspicious_browser.yml,azure_identity_protection_threat_intel.yml,azure_identity_protection_unfamilar_sign_in.yml,azure_pim_account_stale.yml,azure_pim_invalid_license.yml,azure_pim_role_assigned_outside_of_pim.yml,azure_pim_role_frequent_activation.yml,azure_pim_role_not_used.yml,azure_pim_role_no_mfa_required.yml,azure_pim_too_many_global_admins.yml,azure_ad_auth_failure_increase.yml,azure_ad_auth_sucess_increase.yml,azure_ad_auth_to_important_apps_using_single_factor_auth.yml,azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml,azure_app_device_code_authentication.yml,azure_app_ropc_authentication.yml,azure_unusual_authentication_interruption.yml,gcp_kubernetes_admission_controller.yml,microsoft365_impossible_travel_activity.yml,microsoft365_logon_from_risky_ip_address.yml,proc_creation_macos_dsenableroot_enable_root_account.yml,proc_creation_macos_sysadminctl_enable_guest_account.yml,cisco_bgp_md5_auth_failed.yml,cisco_ldp_md5_auth_failed.yml,huawei_bgp_auth_failed.yml,juniper_bgp_missing_md5.yml,win_security_susp_computer_name.yml,win_security_susp_failed_logon_reasons.yml,win_security_susp_logon_explicit_credentials.yml,win_security_user_added_to_local_administrators.yml,win_security_successful_external_remote_rdp_login.yml,win_security_successful_external_remote_smb_login.yml,win_security_susp_failed_logon_source.yml,posh_pm_susp_reset_computermachinepassword.yml,proc_creation_win_net_use_password_plaintext.yml
 initial-access;T1078.002;win_security_admin_rdp_login.yml
 initial-access;T1200;win_usb_device_plugged.yml,win_security_device_installation_blocked.yml,win_security_external_device.yml

diff --git a/sigma_rule.csv b/sigma_rule.csv
@@ -403,6 +403,7 @@ file_event_lnx_wget_download_file_in_tmp_dir.yml;False
 net_connection_lnx_back_connect_shell_dev.yml;False
 net_connection_lnx_crypto_mining_indicators.yml;False
 net_connection_lnx_ngrok_tunnel.yml;False
+net_connection_lnx_susp_malware_callback_port.yml;False
 proc_creation_lnx_at_command.yml;False
 proc_creation_lnx_base64_decode.yml;False
 proc_creation_lnx_base64_execution.yml;False
@@ -639,7 +640,7 @@ proxy_ua_powershell.yml;False
 proxy_ua_rclone.yml;False
 proxy_ua_susp.yml;False
 proxy_ua_susp_base64.yml;False
-proxy_webdav_search_ms.yml;False
+proxy_webdav_external_execution.yml;False
 web_f5_tm_utility_bash_api_request.yml;False
 web_iis_tilt_shortname_scan.yml;False
 web_java_payload_in_access_logs.yml;False
@@ -716,12 +717,13 @@ win_dns_server_susp_server_level_plugin_dll.yml;False
 win_usb_device_plugged.yml;False
 win_firewall_as_add_rule.yml;False
 win_firewall_as_add_rule_susp_folder.yml;False
+win_firewall_as_add_rule_wmiprvse.yml;False
 win_firewall_as_delete_all_rules.yml;False
 win_firewall_as_delete_rule.yml;False
 win_firewall_as_failed_load_gpo.yml;False
 win_firewall_as_reset_config.yml;False
 win_firewall_as_setting_change.yml;False
-win_ldap_recon.yml;False
+win_ldap_recon.yml;True
 win_lsa_server_normal_user_admin.yml;False
 win_exchange_proxylogon_oabvirtualdir.yml;False
 win_exchange_proxyshell_certificate_generation.yml;False
@@ -1015,6 +1017,7 @@ driver_load_win_windivert.yml;False
 file_access_win_browser_credential_access.yml;True
 file_access_win_credential_manager_access.yml;False
 file_access_win_dpapi_master_key_access.yml;False
+file_access_win_outlook_mail_credential_access.yml;False
 file_access_win_reg_and_hive_access.yml;False
 file_access_win_susp_cred_hist_access.yml;False
 file_access_win_susp_gpo_access_file.yml;False
@@ -2743,7 +2746,6 @@ registry_set_disable_macroruntimescanscope.yml;False
 registry_set_disable_privacy_settings_experience.yml;True
 registry_set_disable_security_center_notifications.yml;True
 registry_set_disable_system_restore.yml;True
-registry_set_disable_uac_registry.yml;True
 registry_set_disable_windows_defender_service.yml;False
 registry_set_disable_windows_firewall.yml;True
 registry_set_disable_winevt_logging.yml;True
@@ -2860,6 +2862,9 @@ registry_set_uac_bypass_eventvwr.yml;False
 registry_set_uac_bypass_sdclt.yml;False
 registry_set_uac_bypass_winsat.yml;False
 registry_set_uac_bypass_wmp.yml;False
+registry_set_uac_disable.yml;True
+registry_set_uac_disable_notification.yml;False
+registry_set_uac_disable_secure_desktop_prompt.yml;False
 registry_set_vbs_payload_stored.yml;False
 registry_set_wab_dllpath_reg_change.yml;False
 registry_set_wdigest_enable_uselogoncredential.yml;True
@@ -3247,6 +3252,7 @@ posh_pc_alternate_powershell_hosts.yml;False
 posh_pm_susp_netfirewallrule_recon.yml;False
 posh_ps_compress_archive_usage.yml;True
 posh_ps_mailbox_access.yml;False
+posh_ps_new_netfirewallrule_allow.yml;False
 posh_ps_new_smbmapping_quic.yml;False
 posh_ps_registry_reconnaissance.yml;False
 posh_ps_remove_item_path.yml;True
@@ -3273,6 +3279,7 @@ proc_creation_win_office_svchost_parent.yml;True
 proc_creation_win_powershell_abnormal_commandline_size.yml;True
 proc_creation_win_powershell_crypto_namespace.yml;False
 proc_creation_win_powershell_import_module.yml;False
+proc_creation_win_powershell_new_netfirewallrule_allow.yml;False
 proc_creation_win_regsvr32_dllregisterserver_exec.yml;False
 proc_creation_win_remote_access_tools_screenconnect_child_proc.yml;False
 proc_creation_win_rundll32_dllregisterserver.yml;False

diff --git a/yml/00682c9f-7df4-4df8-950b-6dcaaa3ad9af.yml b/yml/00682c9f-7df4-4df8-950b-6dcaaa3ad9af.yml
@@ -13,7 +13,7 @@ technique:
   - T1059.003
 os:
   - windows
-description: |-
+description: |--
       Simulate DarkGate malware's second stage by writing a VBscript to disk directly from the command prompt then executing it.
       The script will execute 'whoami' then exit.
 executor: command_prompt

diff --git a/yml/36f96049-0ad7-4a5f-8418-460acaeb92fb.yml b/yml/36f96049-0ad7-4a5f-8418-460acaeb92fb.yml
@@ -12,7 +12,7 @@ technique:
 os:
   - windows
 description: |
-  Delete a single prefetch file.  Deletion of prefetch files is a known anti-forensic technique. To verify execution, Run "(Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" | Measure-Object).Count"
+  Delete a single prefetch file.  Deletion of prefetch files is a known anti-forensic technique. To verify execution, Run `(Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" | Measure-Object).Count`
   before and after the test to verify that the number of prefetch files decreases by 1.
 executor: powershell
 sigma: true