mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-12 14:14:56 +03:00
mukul975
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
117 lines
3.1 KiB
Markdown
117 lines
3.1 KiB
Markdown
# API Reference: Windows Prefetch Analysis Tools
|
|
|
|
## Prefetch File Format
|
|
|
|
### Location
|
|
```
|
|
C:\Windows\Prefetch\
|
|
```
|
|
|
|
### Filename Convention
|
|
```
|
|
EXECUTABLE_NAME-XXXXXXXX.pf
|
|
```
|
|
- `EXECUTABLE_NAME` - Uppercase name of the executed program
|
|
- `XXXXXXXX` - Hash of the executable path (8 hex characters)
|
|
- `.pf` - Prefetch file extension
|
|
|
|
### Version History
|
|
| Version | Windows OS | Notes |
|
|
|---------|-----------|-------|
|
|
| 17 | XP | Basic format |
|
|
| 23 | Vista, 7 | Added run count, timestamps |
|
|
| 26 | 8, 8.1 | Extended timestamps (8 entries) |
|
|
| 30 | 10, 11 | MAM compressed, 8 timestamps |
|
|
|
|
### Header Structure (Uncompressed)
|
|
| Offset | Size | Field |
|
|
|--------|------|-------|
|
|
| 0 | 4 | Version |
|
|
| 4 | 4 | Signature (SCCA) |
|
|
| 12 | 4 | File size |
|
|
| 16 | 60 | Executable name (UTF-16LE) |
|
|
| 76 | 4 | Prefetch hash |
|
|
|
|
## PECmd (Eric Zimmerman) - Full Parser
|
|
|
|
### Syntax
|
|
```bash
|
|
PECmd.exe -f <prefetch_file> # Single file
|
|
PECmd.exe -d <prefetch_directory> # Entire directory
|
|
PECmd.exe -d <dir> --csv <output_dir> # Export to CSV
|
|
PECmd.exe -d <dir> --json <output_dir> # Export to JSON
|
|
PECmd.exe -f <file> -q # Quiet mode
|
|
```
|
|
|
|
### Output Fields
|
|
| Field | Description |
|
|
|-------|-------------|
|
|
| `SourceFilename` | Original executable path |
|
|
| `RunCount` | Number of times executed |
|
|
| `LastRun` | Most recent execution timestamp |
|
|
| `PreviousRun0-7` | Up to 8 previous run timestamps (Win8+) |
|
|
| `FilesLoaded` | DLLs and files accessed during execution |
|
|
| `Directories` | Directories accessed |
|
|
| `VolumeSerialNumber` | Volume where executable resided |
|
|
|
|
## WinPrefetchView (NirSoft)
|
|
|
|
### GUI Features
|
|
- Lists all prefetch files with execution details
|
|
- Shows run count, timestamps, referenced files
|
|
- Export to CSV, HTML, or text
|
|
- Sort by any column for analysis
|
|
|
|
## Python Prefetch Parsing
|
|
|
|
### Structure Parsing
|
|
```python
|
|
import struct
|
|
|
|
with open("APP.EXE-HASH.pf", "rb") as f:
|
|
data = f.read()
|
|
|
|
version = struct.unpack_from("<I", data, 0)[0]
|
|
signature = data[4:8] # Should be b"SCCA"
|
|
exe_name = data[16:76].decode("utf-16-le").rstrip("\x00")
|
|
pf_hash = struct.unpack_from("<I", data, 76)[0]
|
|
```
|
|
|
|
### FILETIME Conversion
|
|
```python
|
|
import datetime
|
|
|
|
def filetime_to_datetime(filetime):
|
|
epoch = datetime.datetime(1601, 1, 1)
|
|
delta = datetime.timedelta(microseconds=filetime // 10)
|
|
return epoch + delta
|
|
```
|
|
|
|
## Suspicious Prefetch Indicators
|
|
|
|
### Offensive Tools
|
|
| Tool | Prefetch Name |
|
|
|------|---------------|
|
|
| Mimikatz | `MIMIKATZ.EXE-*.pf` |
|
|
| PsExec | `PSEXEC.EXE-*.pf`, `PSEXESVC.EXE-*.pf` |
|
|
| BloodHound | `SHARPHOUND.EXE-*.pf` |
|
|
| Rubeus | `RUBEUS.EXE-*.pf` |
|
|
| LaZagne | `LAZAGNE.EXE-*.pf` |
|
|
|
|
### LOLBins (Living Off the Land)
|
|
| Binary | Concern |
|
|
|--------|---------|
|
|
| `CERTUTIL.EXE` | File download, Base64 decode |
|
|
| `MSHTA.EXE` | Script execution via HTA |
|
|
| `REGSVR32.EXE` | COM scriptlet execution |
|
|
| `BITSADMIN.EXE` | File download |
|
|
| `MSBUILD.EXE` | Code execution via project files |
|
|
|
|
## Timeline Integration
|
|
|
|
### Plaso / log2timeline
|
|
```bash
|
|
log2timeline.py timeline.plaso /path/to/prefetch/
|
|
psort.py -o l2tcsv timeline.plaso > prefetch_timeline.csv
|
|
```
|