mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-16 20:55:17 +03:00
Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
This commit is contained in:
@@ -0,0 +1,116 @@
|
||||
# API Reference: Windows Prefetch Analysis Tools
|
||||
|
||||
## Prefetch File Format
|
||||
|
||||
### Location
|
||||
```
|
||||
C:\Windows\Prefetch\
|
||||
```
|
||||
|
||||
### Filename Convention
|
||||
```
|
||||
EXECUTABLE_NAME-XXXXXXXX.pf
|
||||
```
|
||||
- `EXECUTABLE_NAME` - Uppercase name of the executed program
|
||||
- `XXXXXXXX` - Hash of the executable path (8 hex characters)
|
||||
- `.pf` - Prefetch file extension
|
||||
|
||||
### Version History
|
||||
| Version | Windows OS | Notes |
|
||||
|---------|-----------|-------|
|
||||
| 17 | XP | Basic format |
|
||||
| 23 | Vista, 7 | Added run count, timestamps |
|
||||
| 26 | 8, 8.1 | Extended timestamps (8 entries) |
|
||||
| 30 | 10, 11 | MAM compressed, 8 timestamps |
|
||||
|
||||
### Header Structure (Uncompressed)
|
||||
| Offset | Size | Field |
|
||||
|--------|------|-------|
|
||||
| 0 | 4 | Version |
|
||||
| 4 | 4 | Signature (SCCA) |
|
||||
| 12 | 4 | File size |
|
||||
| 16 | 60 | Executable name (UTF-16LE) |
|
||||
| 76 | 4 | Prefetch hash |
|
||||
|
||||
## PECmd (Eric Zimmerman) - Full Parser
|
||||
|
||||
### Syntax
|
||||
```bash
|
||||
PECmd.exe -f <prefetch_file> # Single file
|
||||
PECmd.exe -d <prefetch_directory> # Entire directory
|
||||
PECmd.exe -d <dir> --csv <output_dir> # Export to CSV
|
||||
PECmd.exe -d <dir> --json <output_dir> # Export to JSON
|
||||
PECmd.exe -f <file> -q # Quiet mode
|
||||
```
|
||||
|
||||
### Output Fields
|
||||
| Field | Description |
|
||||
|-------|-------------|
|
||||
| `SourceFilename` | Original executable path |
|
||||
| `RunCount` | Number of times executed |
|
||||
| `LastRun` | Most recent execution timestamp |
|
||||
| `PreviousRun0-7` | Up to 8 previous run timestamps (Win8+) |
|
||||
| `FilesLoaded` | DLLs and files accessed during execution |
|
||||
| `Directories` | Directories accessed |
|
||||
| `VolumeSerialNumber` | Volume where executable resided |
|
||||
|
||||
## WinPrefetchView (NirSoft)
|
||||
|
||||
### GUI Features
|
||||
- Lists all prefetch files with execution details
|
||||
- Shows run count, timestamps, referenced files
|
||||
- Export to CSV, HTML, or text
|
||||
- Sort by any column for analysis
|
||||
|
||||
## Python Prefetch Parsing
|
||||
|
||||
### Structure Parsing
|
||||
```python
|
||||
import struct
|
||||
|
||||
with open("APP.EXE-HASH.pf", "rb") as f:
|
||||
data = f.read()
|
||||
|
||||
version = struct.unpack_from("<I", data, 0)[0]
|
||||
signature = data[4:8] # Should be b"SCCA"
|
||||
exe_name = data[16:76].decode("utf-16-le").rstrip("\x00")
|
||||
pf_hash = struct.unpack_from("<I", data, 76)[0]
|
||||
```
|
||||
|
||||
### FILETIME Conversion
|
||||
```python
|
||||
import datetime
|
||||
|
||||
def filetime_to_datetime(filetime):
|
||||
epoch = datetime.datetime(1601, 1, 1)
|
||||
delta = datetime.timedelta(microseconds=filetime // 10)
|
||||
return epoch + delta
|
||||
```
|
||||
|
||||
## Suspicious Prefetch Indicators
|
||||
|
||||
### Offensive Tools
|
||||
| Tool | Prefetch Name |
|
||||
|------|---------------|
|
||||
| Mimikatz | `MIMIKATZ.EXE-*.pf` |
|
||||
| PsExec | `PSEXEC.EXE-*.pf`, `PSEXESVC.EXE-*.pf` |
|
||||
| BloodHound | `SHARPHOUND.EXE-*.pf` |
|
||||
| Rubeus | `RUBEUS.EXE-*.pf` |
|
||||
| LaZagne | `LAZAGNE.EXE-*.pf` |
|
||||
|
||||
### LOLBins (Living Off the Land)
|
||||
| Binary | Concern |
|
||||
|--------|---------|
|
||||
| `CERTUTIL.EXE` | File download, Base64 decode |
|
||||
| `MSHTA.EXE` | Script execution via HTA |
|
||||
| `REGSVR32.EXE` | COM scriptlet execution |
|
||||
| `BITSADMIN.EXE` | File download |
|
||||
| `MSBUILD.EXE` | Code execution via project files |
|
||||
|
||||
## Timeline Integration
|
||||
|
||||
### Plaso / log2timeline
|
||||
```bash
|
||||
log2timeline.py timeline.plaso /path/to/prefetch/
|
||||
psort.py -o l2tcsv timeline.plaso > prefetch_timeline.csv
|
||||
```
|
||||
Reference in New Issue
Block a user