by Oleg Skulkin

Windows Prefetch files were introduced in Windows XP, and since that time they have helped digital forensics analysts and incident responders to find evidence of execution.

These files are stored under %SystemRoot%\Prefetch, and are designed to speed up applications’ startup processes. If we look at any prefetch files, we can see that their names consist of two parts: an executable name, and an eight-character hash of the executable’s location.

Prefetch files contain various metadata: executable name, run count, volume information, files and directories referenced by the executable, and of course, timestamps. We usually use a Prefetch file’s creation timestamp as the timestamp of the first execution. It also has the embedded timestamp of the last execution, and since version 26 (Windows 8.1), the 7 most recent last run times.

Let’s take one Prefetch file, parse it with Eric Zimmerman’s PECmd, and look at each part of the output. For demonstration purposes I’ll parse CCLEANER64.EXE-DE05DBE1.pf.

Ok, I’m going to start from the top. First of all, we have the file’s timestamps:

Next we have the executable’s name, its hash path, the executable’s size and the prefetch file version:

As we have the Windows 10 version, we next see the run count, last run timestamps and 7 more previous last run times:

Next we can see information about the volume, including its serial number and creation timestamp:

And last but not least – referenced files and directories:

The files and directories referenced by the executable is what I want to focus on today. This feature enables us as digital forensic analysts, incident responders or threat hunters to track not only the facts of the execution, but also, in some cases, the exact techniques used by adversaries. Attackers use data wiping tools like SDelete quite often nowadays, so the ability to find at least traces of different tactics and techniques like these is a must-have skill for any modern examiner.

Let’s start from the Initial Access tactic (TA0001) and the most common technique – Spearphishing Attachment (T1193). Some APT groups choose weaponized attachments in a creative way. For example, Silence Group used weaponized CHM files in their spearphishing campaigns. Here is another interesting technique – Compiled HTML File (T1223). These files are run with hh.exe, so if we parse its Prefetch file, we can understand what exactly was opened by the victim:

Let’s keep digging into real-world examples and continue to the next tactic – Execution (TA0002), and CMSTP (T1191) techniques. The Microsoft Connection Manager Profile Installer (CMSTP.exe) may be used by attackers for launching malicious scripts. A good example is Cobalt Group. If we parse CMSTP.exe’s prefetch file and look at the ‘files referenced’ section, we can find what exactly was run with it:

So here we have a JavaScript scriptlet saved into 117696489.txt that was run by attackers with CMSTP.

Let’s continue with execution examples – Regsvr32 (T1117). Regsvr32.exe is commonly used by attackers to execute arbitrary binaries. Here is another example from Cobalt Group – these guys used regsvr32.exe to run scripts, so again, if we look inside the Prefetch file of this executable, we can find the location and name of the executed script:

Next tactics – Persistence (TA0001) and Privilege Escalation (TA0004), and Application Shimming (T1138) as an example. This technique was used by the notorious Carbanak/FIN7 for persistence. Usually sdbinst.exe is used for working with shim database files (.sdb), so we can use its Prefetch file to uncover a database’s file names and locations:

Here we have not only the file used for installation, but also the name of the installed custom database.

Let’s keep going and look at one of the most typical examples of lateral movement (TA0008) – PsExec, which interacts with the ADMIN$ network share (Windows Admin Shares, T1077). A PSEXESVC service (it may have a random name, of course, as it can be renamed by the attacker using the –r switch) will be created on the target system, and if we parse this executable’s Prefetch file, we can see what exactly was run:

Let’s finish where we started: file deletion (T1107). Many adversaries use the SDelete utility to remove software they used during a number of stages of the attack’s lifecycle. If we look at the sdelete.exe prefetch file, we can clearly see what was deleted with its help:

Of course, this is not a full list of techniques that can be found as a result of prefetch file analysis, but it should be enough to understand that such files can be used not only for finding evidence of execution, but also for uncovering the exact tactics and techniques used by the adversary.

About The Author

Oleg Skulkin is senior digital forensic analyst at Group-IB, one of the global leaders in preventing and investigating high-tech crimes and online fraud. He holds a number of certifications, including GCFA, MCFE, and ACE. Oleg co-authored Windows Forensics Cookbook, Practical Mobile Forensics and Learning Android Forensics, as well as many blog posts and articles on digital forensics and incident response you can find online.