analyzing-windows-prefetch-with-python

Featured

Parse Windows Prefetch files using the windowsprefetch Python library to reconstruct application execution history, detect renamed or masquerading binaries, and identify suspicious program execution patterns.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Analyzing Windows Prefetch with Python ## Overview Windows Prefetch files (.pf) record application execution data including executable names, run counts, timestamps, loaded DLLs, and accessed directories. This skill covers parsing Prefetch files using the windowsprefetch Python library to reconstruct execution timelines, detect renamed or masquerading binaries by comparing executable names with loaded resources, and identifying suspicious programs that may indicate malware execution or lateral movement. ## When to Use - When investigating security incidents that require analyzing windows prefetch with python - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Python 3.9+ with `windowsprefetch` library (pip install windowsprefetch) - Windows Prefetch files from C:\Windows\Prefetch\ (versions 17-30 supported) - Understanding of Windows Prefetch file naming conventions (EXECUTABLE-HASH.pf) ## Steps ### Step 1: Collect Prefetch Files Gather .pf files from target system's C:\Windows\Prefetch\ directory. ### Step 2: Parse Execution History Extract executable name, run count, last execution timestamps, and volume information. ### Step 3: Detect Suspicious Execution Flag known attack tools (mimikatz, psexec, etc.), renamed binaries, and unusual execution patterns. ### Step 4: Build Exe...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

analyzing-prefetch-files-for-execution-history

Parse Windows Prefetch files to determine program execution history including run counts, timestamps, and referenced files for forensic investigation.

12,642 Updated today
mukul975
AI & Automation Featured

analyzing-windows-amcache-artifacts

Parses and analyzes the Windows Amcache.hve registry hive to extract evidence of program execution, application installation, and driver loading for digital forensics investigations. Uses Eric Zimmerman's AmcacheParser and Timeline Explorer for artifact extraction, SHA-1 hash correlation with threat intel, and timeline reconstruction. Activates for requests involving Amcache forensics, program execution evidence, Windows artifact analysis, or application compatibility cache investigation.

12,642 Updated today
mukul975
AI & Automation Solid

hunting-for-startup-folder-persistence

Detect T1547.001 startup folder persistence by monitoring Windows startup directories for suspicious file creation, analyzing autoruns entries, and using Python watchdog for real-time filesystem monitoring.

12,642 Updated today
mukul975
AI & Automation Listed

dfir

Digital forensics and incident response - Windows event log analysis, PCAP forensics, filesystem artifact analysis, AD attack detection, and timeline correlation. Use when investigating security incidents, analyzing Sherlocks, or performing threat hunting on provided evidence files.

6 Updated today
26zl
AI & Automation Solid

hunting-for-unusual-service-installations

Detect suspicious Windows service installations (MITRE ATT&CK T1543.003) by parsing System event logs for Event ID 7045, analyzing service binary paths, and identifying indicators of persistence mechanisms.

12,642 Updated today
mukul975