The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Prefetch enumeration

Description: This query enumerates prefetch files to identify evidence of execution.

What The Data Shows: The query returns all prefetch files along with first execution (btime) and last execution (mtime). This helps identify evidence of execution on Windows systems with prefetch enabled. One assumption being made is that the prefetch file was not previously deleted and recreated which means btime is no longer truly "first" execution of the associated binary. 

SQL:

SELECT datetime(btime, 'unixepoch', 'localtime') AS firstrun,datetime(mtime, 'unixepoch', 'localtime') AS lastrun,filename 
FROM file
WHERE path like 'C:\Windows\Prefetch\%.pf'
ORDER BY lastrun DESC;

 

3 Comments
kbrawley
Community Manager
Community Manager

Hi @eric_capuano  thank you for your submission!  We will test your query and if it runs as expected we'll update your submission from Under Review to CB Approved.

Thanks again!

eric_capuano
New Contributor II

Added missing semicolon

jnelson
Carbon Black Employee
Status changed to: Approved