Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Profile: modules/windows/prefetch.toml

Source

  • Original path: profiles/modules/windows/prefetch.toml

Profile (TOML)

# Windows Prefetch Module
# Collects Windows Prefetch files for execution analysis

[module]
name = "Windows Prefetch"
description = "Windows Prefetch files (.pf) for application execution history"
category = "windows"
platform = ["windows"]
priority = "high"

# Prefetch Files
[[patterns]]
  name = "Prefetch File"
  pattern = "\\.pf$"
  case-insensitive = true
  type = "regex"

# Prefetch Directory
[[patterns]]
  name = "Prefetch Directory"
  pattern = "[/\\\\]Prefetch[/\\\\]"
  case-insensitive = true
  type = "regex"

# Specific Prefetch Patterns for Common Tools
[[patterns]]
  name = "CMD Prefetch"
  pattern = "CMD\\.EXE.*\\.pf$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "PowerShell Prefetch"
  pattern = "POWERSHELL.*\\.pf$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "WMIC Prefetch"
  pattern = "WMIC\\.EXE.*\\.pf$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "PSEXEC Prefetch"
  pattern = "PSEXEC.*\\.pf$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "MSHTA Prefetch"
  pattern = "MSHTA\\.EXE.*\\.pf$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "REGSVR32 Prefetch"
  pattern = "REGSVR32\\.EXE.*\\.pf$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "RUNDLL32 Prefetch"
  pattern = "RUNDLL32\\.EXE.*\\.pf$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "CSCRIPT Prefetch"
  pattern = "CSCRIPT\\.EXE.*\\.pf$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "WSCRIPT Prefetch"
  pattern = "WSCRIPT\\.EXE.*\\.pf$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "CERTUTIL Prefetch"
  pattern = "CERTUTIL\\.EXE.*\\.pf$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "BITSADMIN Prefetch"
  pattern = "BITSADMIN\\.EXE.*\\.pf$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "NET Prefetch"
  pattern = "NET(?:1)?\\.EXE.*\\.pf$"
  case-insensitive = true
  type = "regex"

# Superfetch/ReadyBoot
[[patterns]]
  name = "Superfetch Database"
  pattern = "Ag(?:Robust)?App\\.db$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "ReadyBoot"
  pattern = "ReadyBoot"
  case-insensitive = true
  type = "regex"