Interview Bank
  • Interview Bank
  • Web
    • Persistent Connection and Non Persistent
    • CDN
    • Code Review
    • JWT
      • JWT vs Session Based Authentication
      • JWT Challenge
      • JWE
      • JWS
    • Content Security Policy (CSP)
    • Same-origin Policy (SOP)
    • Cross-Origin Resource Sharing (CORS)
      • Exploiting CORS
    • HTTP Strict Transport Security (HSTS)
    • SQL Injection (SQLi)
    • Password Encryption in Login APIs
    • API Security
      • API Principles
    • Simple bypass PHP
    • Server-side Template Injection (SSTI)
    • Javascript Object and Inheritance
    • HTTP/2
    • Cookie vs Local vs session Storage
    • XML External Entity (XXE)
    • What happened when enter domain name in browser
    • Prototype Pollution - Part 1
    • Prototype Pollution - Part 2
    • Nginx vs Apache
  • OT Security
    • Securing Operational Technology: Understanding OT Security
  • Quantum Computing
    • Quantum Computing: Unveiling the Cryptographic Paradigm Shift
    • Quantum Obfuscation: Shielding Code in the Quantum Era
  • DevSecOps
    • Continuous Integration/Continuous Deployment Pipeline Security
    • Chaos Engineering Overview
      • Security Chaos Engineering
    • Mysql VS redis
    • Kubernetes (k8s)
    • How MySQL executes query
    • REDIS
    • Difference between cache and buffer
  • Windows
    • Pentesting Active Directory - Active Directory 101
    • Pentesting Active Directory - Kerberos (Part 1)
    • Pentesting Active Directory - Kerberos (Part 2)
    • AD vs Kerberos vs LDAP
    • Active Directory Certificate Services Part 1
    • Unconstrained Delegation
    • AS-REP Roasting
    • NTLM Relay via SMB
    • LLMRN
    • Windows lateral movement
    • Constrained Delegation
    • Resource-Based Constrained Delegation
    • IFEO (lmage File Execution Options) Hijacking
  • UNIX
    • Setuid
  • Large Language Models (LLMs)
    • Tokens
    • LangChain
    • Integration and Security
  • Android
    • Keystore
  • Red team development
    • Secure C2 Infrastructure
    • P Invoke in c#
    • D Invoke
    • ExitProcess vs ExitThread
  • Blue Team
    • Indicators of Compromise
    • Methods to prevent Email domain spoofing
    • Windows Prefetching
  • CVE
    • XZ Outbreak CVE-2024-3094
    • Log4J Vulnerability (CVE-2021-44228)
    • SolarWinds Hack (CVE-2020-10148)
    • PHP CGI RCE (CVE-2024-4577)
    • Windows Recall
  • Software Architecture
    • Microservices
    • KVM
  • Docker
    • Overview
    • Daemon Socket
    • Tips to reduce docker size
  • Blockchain
    • Overview
    • Smart Contract
  • Business Acumen
    • Market Research Reports and Perception
    • Understanding Acquisitions
    • Cybersecurity as a Business Strategy
  • Cyber Teams
    • Introduction to Purple Teaming
  • Malware
    • Dynamic Sandbox Limitations
Powered by GitBook
On this page
  • Introduction
  • What is the use of Prefetch Files?
  • Prefetch file properties
  • Prefetch configuration from the Registry
  • How Investigators Use Prefetch File Contents
  • Example walkthrough
  • This is one of the question from sherlock (campfire-1)
  • When was the tool executed to dump credentials?
  • Author
  • Interview Question
  1. Blue Team

Windows Prefetching

PreviousMethods to prevent Email domain spoofingNextXZ Outbreak CVE-2024-3094

Last updated 9 months ago

Introduction

Prefetching is a Windows memory management process in which the operating system pre-loads resources from disk into memory as a means of speeding up the loading time for applications. As part of its process, a .pf file is created in the C:\Windows\Prefetch directory and updated each subsequent time the application is executed.

The .pf file contains a list of resources, including files and directories that the executable referenced during execution, which is used to pre-load those resources the next time the application is executed.

What is the use of Prefetch Files?

  1. These files are used to study the behavior of the Application means which application executes automatically or not etc

  2. Prefetch files can be used for forensic analysis of the particular Application.

  3. Analysis of the viruses can be studied with the help of prefetch files.

Prefetch file properties

Prefetch files are enabled by default on all Windows operating systems.

Prefetch, however, is disabled by default on Windows server operating systems and can be enabled through the registry.

In every windows OS there's a limitation of prefetch files

Version
Maximum File

Windows XP

128

Windows 7

128

Windows 8

1024

Windows 10

1024

Prefetch configuration from the Registry

Prefetch can be configured from the registry. The path of the prefetch configuration in the registry is:

“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters”

Prefetcher is enabled and the data value is 3. You can change the configuration of prefetcher by changing the data value.

There are 4 values to enable prefetcher:

3

Enable Prefetcher for application startup and Boot

2

Enables Boot prefetching

1

Enables Prefetcher for application startup

0

Disables Prefetcher

How Investigators Use Prefetch File Contents

The prefetch file, while not intended for analysis, can provide a wealth of information for an investigator. When opened, a prefetch file can show:

  • Creation date – timestamped with the local time of the machine

  • Date/time of last execution time – timestamped with the local time of the machine

  • Run count – the number of times the executable has been launched

  • Other run times – limited to the previous eight (8) executions

  • Directories and files referenced – includes other executables

  • Volumes and file paths – the location from which files were accessed

Example walkthrough

This is one of the question from sherlock (campfire-1)

What is the full path of the tool used to perform the actual kerberoasting attack?

Given the prefetch folder we are going to find the tool is used for the attacking, and the full path of the files

We are using this PECmd.exe to perform the tasks.

PECmd.exe -d prefetch --csv . --csvf prefetch.csv

pointing the directory to prefetch folders and process them output it in csv format

Scrolling abit we found the tool to be Rubeus.exe .

To individually analyse the file we can directly parse the file to Pecmd.exe

PECmd.exe -f prefetch\RUBEUS.EXE-5873E24B.pf

When was the tool executed to dump credentials?

Since we know the attacker uses Rubeus.exe

Pecmd also provides the timestamp of the application is executed

Author

Ik0nw

Interview Question

1) What is prefetch files?

2) Does Windows Server enable prefetching by default?

3) What is the maximum prefetch file for windows 11?

https://f001.backblazeb2.com/file/EricZimmermanTools/net6/PECmd.zip
Prefetch Directory Listing