Hunting techniques and tactics of attackers using Prefetch files

Trace files, or Prefetch files, have appeared on Windows since XP. Since then, they have helped digital forensics and computer incident response specialists find traces of software launches, including malware. Oleg Skulkin , leading specialist in computer forensics at Group-IB, talks about what you can find with Prefetch files and how to do it.

Prefetch files are stored in the % SystemRoot% \ Prefetch directory and are used to speed up the process of launching programs. If we look at any of these files, we will see that its name consists of two parts: the name of the executable file and the checksum from the path to it, consisting of eight characters.

Prefetch files contain a lot of information useful from the forensic point of view: the name of the executable file, the number of starts, lists of files and directories with which the executable file interacted, and, of course, timestamps. Typically, forensics use the creation date of a particular Prefetch file to determine the date the program first starts. In addition, these files store the date of its last launch, and starting with version 26 (Windows 8.1), the timestamps of the last seven launches.

Let's take one of the Prefetch files, extract the data from it using Eric Zimmerman's PECmd and look at each part. For demonstration, I will extract the data from the CCLEANER64.EXE-DE05DBE1.pf file .

So, let's start from above. Of course, we have timestamps for creating, modifying, and accessing the file:

They are followed by the name of the executable file, the checksum of the path to it, the size of the executable file, as well as the version of the Prefetch file:

Since we are dealing with Windows 10, then we will see the number of launches, the date and time of the last launch, and seven more timestamps indicating the previous launch dates:

They are followed by information about the volume, including its serial number and creation date:

And last but not least, a list of directories and files the executable interacted with:

So, the directories and files that the executable interacted with are just what I want to focus on today. It is this data that allows specialists in digital forensics, responding to computer incidents or the proactive search for threats to establish not only the fact of the execution of a file, but, in some cases, to reconstruct specific tactics and techniques of attackers. Today, attackers quite often use tools for permanently deleting data, for example, SDelete, so the ability to recover at least traces of the use of certain tactics and techniques is simply necessary for any modern defender - a computer forensic specialist, incident response specialist, ThreatHunter expert.

Let's start with the Initial Access tactics (TA0001) and the most popular technique - Spearphishing Attachment (T1193). Some cybercriminal groups are very creative about choosing such attachments. For example, the Silence group used CHM (Microsoft Compiled HTML Help) files for this. Thus, we have yet another technique - Compiled HTML File (T1223). Such files are launched using hh.exe , therefore, if we extract the data from its Prefetch file, we will find out which file the victim opened:

We continue to work with real-life examples and move on to the next Execution tactics (TA0002) and the CSMTP technique (T1191). Microsoft Connection Manager Profile Installer (CMSTP.exe) can be used by attackers to run malicious scripts. A good example is the Cobalt band. If we extract the data from the cmstp.exe prefetch file , we can again find out what exactly was started:

Another popular technique is Regsvr32 (T1117). Regsvr32.exe is also often used by attackers to launch. Here is another example from the Cobalt group: if we extract the data from the Prefetch file regsvr32.exe , then again we will see what was launched:

The following tactics are Persistence (TA0003) and Privilege Escalation (TA0004), as well as Application Shimming (T1138) as a technique. This technique was used by Carbanak / FIN7 to secure the system. Usually working with databases with information about program compatibility (.sdb) used sdbinst.exe . Therefore, the prefetch file of this executable file can help us find out the names of such databases and their location:

As you can see in the illustration, we have not only the name of the file used for installation, but also the name of the installed database.

Let's take a look at one of the most common examples of network travel (TA0008), PsExec, which uses administrative shared resources (T1077). A service named PSEXECSVC (of course, any other name can be used if the attackers used the -r option ) will be created on the target system, therefore, if we extract the data from the Prefetch file, we will see that it was launched:

I will finish, perhaps, with what I started with - deleting files (T1107). As I noted, many attackers use SDelete to permanently delete files at different stages of the attack life cycle. If we take a look at the data from the sdelete.exe Prefetch file , we will see what exactly was deleted:

Of course, this is not an exhaustive list of techniques that can be found during the analysis of Prefetch files, but this should be enough to understand that such files can not only find traces of the launch, but also reconstruct specific tactics and techniques of the attackers.

Source: https://habr.com/ru/post/undefined/