Windows Prefetch files provide execution evidence even after attacker cleanup. They are created by the Windows Prefetcher (SysMain service) to speed up application launches, but their forensic value is that they record execution time, run count,
\nand the files accessed during startup \u2014 all timestamped and persistent.<\/p>\n
Prefetch files live at The 8-character hash is computed from the full path of the executable. The same binary run from two different directories produces two different prefetch files. This means even if an attacker copies their tools to a new location, a new prefetch Maximum prefetch files: 128 (Windows XP\/Vista\/7), 1024 (Windows 8+). On heavily used systems, older entries are overwritten. On investigation targets that were not rebooted repeatedly, entries can go back weeks.<\/p>\n Sample output columns:<\/p>\n The referenced files list shows what the executable read during its first 10 seconds. For credential dumping tools this is extremely revealing:<\/p>\n The presence of LSASS.EXE in the referenced files list confirms the tool accessed LSASS. The LSASS.DMP reference reveals the output path \u2014 useful for knowing where to look for data that may have been exfiltrated.<\/p>\n Prefetching is disabled by default on Windows Server editions. The registry key:<\/p>\n On server compromises where Prefetch is disabled, the fallback artefacts are Amcache (which is present on Server editions), the Windows event log (4688 with command line logging), and Sysmon if deployed.<\/p>\n","protected":false},"excerpt":{"rendered":" Prefetch files can tell you what ran, when it ran, and sometimes from where –C:\\Windows\\Prefetch\\<\/code>. Naming convention:<\/p>\nEXECUTABLE_NAME-HASH.pf\n# Examples:\nMIMIKATZ.EXE-3A27C2B8.pf\nPROCDUMP.EXE-1B2C3D4E.pf\nCMD.EXE-89305D4C.pf\nCMD.EXE-AC113AA0.pf # different hash = run from different path<\/pre>\n
\nentry is created with the new path encoded in the hash.<\/p>\nData stored per prefetch file<\/h3>\n
\n
Parsing with PECmd<\/h3>\n
# Process single prefetch file\nPECmd.exe -f \"C:\\Windows\\Prefetch\\MIMIKATZ.EXE-3A27C2B8.pf\" --csv C:\\Output\\\n\n# Process entire Prefetch directory\nPECmd.exe -d \"C:\\Windows\\Prefetch\" --csv C:\\Output\\ --csvf prefetch_results.csv\n\n# Parse from forensic image (files extracted to working directory)\nPECmd.exe -d \/tmp\/prefetch_extracted\/ --csv \/tmp\/output\/<\/pre>\n
SourceFilename,SourceCreated,LastRun,RunCount,PreviousRun1,PreviousRun2,...\nMIMIKATZ.EXE-3A27C2B8.pf,2023-09-18 23:24:01,2023-09-18 23:28:44,3,2023-09-18 23:26:12,2023-09-18 23:24:01\nPROCDUMP.EXE-1B2C3D4E.pf,2023-09-18 23:31:05,2023-09-18 23:31:05,1,,<\/pre>\n
Referenced files analysis<\/h3>\n
# MIMIKATZ.EXE referenced files (partial):\n\\WINDOWS\\SYSTEM32\\LSASS.EXE\n\\WINDOWS\\SYSTEM32\\DBGHELP.DLL\n\\WINDOWS\\SYSTEM32\\NTDLL.DLL\n\\WINDOWS\\SYSTEM32\\LOGONSESSION.DLL\n\\USERS\\VICTIM\\DESKTOP\\LSASS.DMP <-- output file location<\/pre>\n
Timeline integration<\/h3>\n
python3 << EOF\nimport csv, datetime\n\n# Build execution timeline from PECmd output\nentries = []\nwith open("prefetch_results.csv") as f:\n for row in csv.DictReader(f):\n name = row["ExecutableName"]\n for ts_field in ["LastRun","PreviousRun1","PreviousRun2",\n "PreviousRun3","PreviousRun4","PreviousRun5",\n "PreviousRun6","PreviousRun7"]:\n if row.get(ts_field):\n try:\n ts = datetime.datetime.strptime(row[ts_field], "%Y-%m-%d %H:%M:%S")\n entries.append((ts, name, row["RunCount"]))\n except:\n pass\n\nentries.sort()\nincident_start = datetime.datetime(2023, 9, 18, 22, 0, 0)\nincident_end = datetime.datetime(2023, 9, 19, 2, 0, 0)\n\nfor ts, name, count in entries:\n if incident_start <= ts <= incident_end:\n # Flag suspicious executables\n suspicious = any(s in name.upper() for s in [\n "MIMIKATZ","PROCDUMP","METERPRETER","COBALTSTRIKE",\n "RUBEUS","SHARPHOUND","BLOODHOUND"\n ])\n marker = " *** SUSPICIOUS ***" if suspicious else ""\n print(f"{ts} | {name} | runs={count}{marker}")\nEOF<\/pre>\nPrefetch on Windows Server<\/h3>\n
HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management\\PrefetchParameters\nValue: EnablePrefetcher\n 0 = Disabled\n 1 = Application prefetching only\n 2 = Boot prefetching only\n 3 = Both (default on workstations)<\/pre>\n
\neven after the original executable has been deleted.<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-199","post","type-post","status-publish","format-standard","hentry","category-dfir"],"_links":{"self":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/199","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/comments?post=199"}],"version-history":[{"count":2,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/199\/revisions"}],"predecessor-version":[{"id":241,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/199\/revisions\/241"}],"wp:attachment":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/media?parent=199"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/categories?post=199"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/tags?post=199"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}