Windows.Detection.PrefetchHunter

This artifact enables hunting prefetch entries for accessed files of interest.

Returned results include relevant prefetch information like executable, accessed file, and prefetch metadata.

For example hunting MSBuild template files generated by an attack framework:
ExecutableRegex = msbuild.exe
TargetRegex = \Windows\Temp\


name: Windows.Detection.PrefetchHunter
author: Matt Green - @mgreen27
description: |
  This artifact enables hunting prefetch entries for accessed files of interest. 
  
  Returned results include relevant prefetch information like executable, accessed 
  file, and prefetch metadata.  
  
  For example hunting MSBuild template files generated by an attack framework:  
    ExecutableRegex = msbuild.exe   
    TargetRegex = \\Windows\\Temp\\
  
parameters:
    - name: PrefetchGlobs
      description: "Target prefetch files"
      default: C:\Windows\Prefetch\*.pf
    - name: DateAfter
      description: "search for prefetch files with M or B time after this date. YYYY-MM-DDTmm:hh:ssZ"
      type: timestamp
    - name: DateBefore
      description: "search for prefetch files with M or B before this date. YYYY-MM-DDTmm:hh:ssZ"
      type: timestamp
    - name: ExecutableRegex
      description: "Regex of executable name. e.g msbuild.exe"
      default: .
      type: regex
    - name: TargetRegex
      description: "Regex of accessed files to hunt for. e.g \\.tmp$"
      default: .
      type: regex
    - name: TargetWhitelist
      description: "A regex to apply as a whitelist to exclude from accessed files."
      type: regex
      
sources:
  - query: |
      -- Parse prefetch files and applying artifact level filters
      LET prefetch = SELECT * 
            Executable,
            FilesAccessed,
            OSPath,
            Hash,
            Binary,
            ModificationTime,CreationTime
        FROM Artifact.Windows.Forensics.Prefetch(
            prefetchGlobs=PrefetchGlobs,binaryRegex=ExecutableRegex,
            dateAfter=DateAfter,dateBefore=DateBefore,
            IncludeFilesAccessed='Y')
                
      -- flattern FilesAccessed and apply filter
        SELECT Executable,
            FilesAccessed as FileAccessed,
            OSPath,
            ModificationTime,CreationTime,
            Hash,
            Binary
        FROM flatten(query=prefetch)
        WHERE 
            FileAccessed =~ TargetRegex
            AND NOT if(condition=TargetWhitelist,
                        then= FileAccessed =~ TargetWhitelist,
                        else= False)
        GROUP BY Executable,FileAccessed,Binary