Built off the open source project Osquery
Description: This query enumerates prefetch files to identify evidence of execution.
What The Data Shows: The query returns all prefetch files along with first execution (btime) and last execution (mtime). This helps identify evidence of execution on Windows systems with prefetch enabled. One assumption being made is that the prefetch file was not previously deleted and recreated which means btime is no longer truly "first" execution of the associated binary.
SQL:
SELECT datetime(btime, 'unixepoch', 'localtime') AS firstrun,datetime(mtime, 'unixepoch', 'localtime') AS lastrun,filename
FROM file
WHERE path like 'C:\Windows\Prefetch\%.pf'
ORDER BY lastrun DESC;
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.