[Osquery_manager] Prefetch artifact saved query

[tomsonpl]

Windows Prefetch Artifact

The Windows Prefetch artifact provides critical forensic visibility into program execution history on Windows systems. Prefetch (.pf) files automatically track application launches, execution counts, timestamps, and file/directory access patterns, making them invaluable for detecting malicious program execution, lateral movement, and persistence mechanisms.

Read https://p.elstc.co/paste/otT8aNps#MwungD8BCsjzA5MFfHfXPQqUhCD+eVAXPGs65MQPBVA

Core Forensic Artifacts Coverage

#	Artifact	✓	OS	Query	File	Description
1	Prefetch	✅	Windows	prefetch_windows_elastic	c9f4e1a0	Program execution history via Windows Prefetch artifacts

Queries by Platform

---

🪟 Windows - Program Execution History and Forensic Intelligence

Description

Investigates Windows Prefetch artifacts to track program execution history across the system. Prefetch files (.pf) are automatically created by Windows to optimize application load times, but they also serve as a critical forensic data source. This query uses the native Osquery prefetch table to parse .pf files and extract execution intelligence including executable names, MD5 hashes, run counts, last execution timestamps, and accessed file/directory patterns. The query is filtered to executables run within the last 90 days to reduce noise while maintaining detection capabilities for recent threats. Results are capped at 1024 entries (matching Windows prefetch directory limit).

Detection Focus:

• Malicious program execution tracking (ransomware, trojans, backdoors)
• Lateral movement detection via remote execution tools (PsExec, WMI, PowerShell remoting)
• Persistence mechanism identification (malware run counts indicate established persistence)
• Suspicious executable locations (temp directories, user profiles, non-standard paths)
• File access patterns revealing data exfiltration or reconnaissance activity
• Timeline reconstruction for incident response and threat hunting

Result

Query returns comprehensive execution history including:

• Executable names and MD5 hashes for malware identification
• Last execution timestamps for timeline analysis
• Run counts indicating persistence or repeated execution
• Volume serial numbers for cross-system correlation
• Accessed files and directories revealing attacker behavior patterns
• Prefetch file paths for direct artifact validation

Platform

windows

Interval

3600 seconds (1 hour)

Query ID

prefetch_windows_elastic

ECS Field Mappings

• process.name → filename
• file.name → filename
• process.hash.md5 → hash
• event.created → last_execution_time
• event.sequence → run_count
• file.size → size
• host.id → volume_serial
• file.path → accessed_files
• file.directory → accessed_directories
• file.path → prefetch_file_path

SQL Query

SELECT
  datetime(last_run_time, 'unixepoch') AS last_execution_time,
  filename,
  hash,
  run_count,
  other_run_times,
  size,
  volume_serial,
  volume_creation,
  accessed_files_count,
  accessed_directories_count,
  accessed_files,
  accessed_directories,
  path AS prefetch_file_path
FROM prefetch
WHERE last_run_time > (strftime('%s', 'now') - 7776000)
ORDER BY last_run_time DESC
LIMIT 1024

---

Implementation Notes

This query leverages Osquery's native prefetch table to parse Windows Prefetch artifacts directly, providing equivalent functionality to Velociraptor's Windows.Forensics.Prefetch artifact. The 90-day time window (7,776,000 seconds) balances forensic depth with performance, focusing on recent execution activity most relevant for threat detection. The 1024 result limit aligns with Windows' maximum prefetch directory capacity, ensuring complete coverage of the prefetch cache.

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: e51393b