creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 14:14:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/analyzing-prefetch-files-for-execution-history/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

3.1 KiB
Raw Blame History

API Reference: Windows Prefetch Analysis Tools

Prefetch File Format

Location

C:\Windows\Prefetch\

Filename Convention

EXECUTABLE_NAME-XXXXXXXX.pf
  • EXECUTABLE_NAME - Uppercase name of the executed program
  • XXXXXXXX - Hash of the executable path (8 hex characters)
  • .pf - Prefetch file extension

Version History

Version Windows OS Notes
17 XP Basic format
23 Vista, 7 Added run count, timestamps
26 8, 8.1 Extended timestamps (8 entries)
30 10, 11 MAM compressed, 8 timestamps

Header Structure (Uncompressed)

Offset Size Field
0 4 Version
4 4 Signature (SCCA)
12 4 File size
16 60 Executable name (UTF-16LE)
76 4 Prefetch hash

PECmd (Eric Zimmerman) - Full Parser

Syntax

PECmd.exe -f <prefetch_file>              # Single file
PECmd.exe -d <prefetch_directory>          # Entire directory
PECmd.exe -d <dir> --csv <output_dir>     # Export to CSV
PECmd.exe -d <dir> --json <output_dir>    # Export to JSON
PECmd.exe -f <file> -q                    # Quiet mode

Output Fields

Field Description
SourceFilename Original executable path
RunCount Number of times executed
LastRun Most recent execution timestamp
PreviousRun0-7 Up to 8 previous run timestamps (Win8+)
FilesLoaded DLLs and files accessed during execution
Directories Directories accessed
VolumeSerialNumber Volume where executable resided

WinPrefetchView (NirSoft)

GUI Features

  • Lists all prefetch files with execution details
  • Shows run count, timestamps, referenced files
  • Export to CSV, HTML, or text
  • Sort by any column for analysis

Python Prefetch Parsing

Structure Parsing

import struct

with open("APP.EXE-HASH.pf", "rb") as f:
    data = f.read()

version = struct.unpack_from("<I", data, 0)[0]
signature = data[4:8]   # Should be b"SCCA"
exe_name = data[16:76].decode("utf-16-le").rstrip("\x00")
pf_hash = struct.unpack_from("<I", data, 76)[0]

FILETIME Conversion

import datetime

def filetime_to_datetime(filetime):
    epoch = datetime.datetime(1601, 1, 1)
    delta = datetime.timedelta(microseconds=filetime // 10)
    return epoch + delta

Suspicious Prefetch Indicators

Offensive Tools

Tool Prefetch Name
Mimikatz MIMIKATZ.EXE-*.pf
PsExec PSEXEC.EXE-*.pf, PSEXESVC.EXE-*.pf
BloodHound SHARPHOUND.EXE-*.pf
Rubeus RUBEUS.EXE-*.pf
LaZagne LAZAGNE.EXE-*.pf

LOLBins (Living Off the Land)

Binary Concern
CERTUTIL.EXE File download, Base64 decode
MSHTA.EXE Script execution via HTA
REGSVR32.EXE COM scriptlet execution
BITSADMIN.EXE File download
MSBUILD.EXE Code execution via project files

Timeline Integration

Plaso / log2timeline

log2timeline.py timeline.plaso /path/to/prefetch/
psort.py -o l2tcsv timeline.plaso > prefetch_timeline.csv
Reference in New Issue View Git Blame Copy Permalink