Campfire-1
In this Sherlock, you will familiarize yourself prefetch files and how to identify and investigate Kerberoasting attacks.
Sherlock Scenario
Alonzo Spotted Weird files on his computer and informed the newly assembled SOC Team. Assessing the situation it is believed a Kerberoasting attack may have occurred in the network. It is your job to confirm the findings by analyzing the provided evidence. You are provided with:
- Security Logs from the Domain Controller
- PowerShell-Operational Logs from the affected workstation
- Prefetch Files from the affected workstation
| Sherlock | Campfire-1 |
|---|---|
| Category | DFIR |
| Difficulty | Very Easy |
| Creator | CyberJunkie |
| Released | 20th June, 2024 |
Research
What Are Prefetch Files?
Windows Prefetch files are performance optimization artifacts created by the Windows Cache Manager and the Superfetch/SysMain service. When an application is executed, Windows monitors which files and resources are loaded during the first 10 seconds of execution. This data is saved as a prefetch file so that subsequent launches of the same application are faster — Windows pre-loads the necessary data into memory before the application requests it.
Forensic significance: Because prefetch files are created as a side effect of program execution, they serve as evidence that a program was run , even if the program itself has since been deleted.
Forensic Value
Prefetch files are among the most valuable artifacts in Windows forensics because they reveal:
| Artifact | Detail |
|---|---|
| Program Execution | Confirms a specific executable was run |
| Execution Count | How many times the program was launched (stored in the file header) |
| Last Run Time | Timestamp of the most recent execution |
| Up to 8 Run Times | Windows 8+ stores the last 8 execution timestamps |
| File Path | Full path of the executable at time of execution |
| Loaded Resources | DLLs, files, and directories accessed during launch |
| Volume Information | Drive serial number and volume name where the executable lived |
Some forensic uses cases can include:
- Anti-forensics detection: Malware that deletes itself leaves a prefetch trace
- Malware analysis: Identify what DLLs and files malware loaded at runtime
- User activity profiling: Establish what applications a user ran and when
Location
Prefetch files are located in C:\Windows\Prefetch\
- Files use the naming convention:
EXECUTABLENAME-XXXXXXXX.pf - The 8-character hex suffix is a hash of the executable’s full path (and in some cases the command-line arguments)
- Example:
MIMIKATZ.EXE-7C0A4CD1.pf
Default Storage Limits
| Windows Version | Max Prefetch Files |
|---|---|
| Windows XP / Vista / 7 | 128 files |
| Windows 8 / 10 / 11 | 1024 files |
Prefetch is disabled by default on SSDs in some Windows versions. You can verify by checking
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters\EnablePrefetcherWhere:
0= Disabled1= Application prefetching only2= Boot prefetching only3= Both (default on HDDs)
Analysis Tools
PECmd (By Eric Zimmerman)
The most powerful and widely used prefetch parser. Free, CLI-based.
1
2
3
4
5
6
7
8
9
10
11
# Parse a single prefetch file
PECmd.exe -f "C:\Windows\Prefetch\MIMIKATZ.EXE-7C0A4CD1.pf"
# Parse an entire Prefetch directory
PECmd.exe -d "C:\Windows\Prefetch" --csv C:\output\
# Parse with timeline output
PECmd.exe -d "C:\Windows\Prefetch" --csv C:\output\ --csvf prefetch_results.csv
# Parse a forensic image / offline directory
PECmd.exe -d "E:\[root]\Windows\Prefetch" --csv C:\output\
Download: https://ericzimmerman.github.io/
WinPrefetchView (NirSoft)
Lightweight GUI tool. Good for quick triage on live systems.
- Displays all prefetch files with run count, last run time, and loaded files
- Download: https://www.nirsoft.net/utils/win_prefetch_view.html
Prefetch Parser (Python - python-prefetch)
Useful for scripting and automation in DFIR pipelines.
1
pip install prefetch-parser
https://pypi.org/project/prefetch-parser/
Volatility (Memory Forensics Context)
For memory images, the prefetchparser plugin can extract prefetch data from RAM:
1
python vol.py -f memory.raw --profile=Win10x64 prefetchparser
Autopsy / Sleuth Kit
- Has a built-in Recent Activity module that parses prefetch files from disk images
- Results appear in the Recent Documents / Program Execution section of the Autopsy case
Timeline Explorer (Eric Zimmerman)
Use alongside PECmd CSV output to build execution timelines:
1
2
PECmd.exe -d .\Prefetch\ --csv . --csvf prefetch.csv
# Open prefetch.csv in Timeline Explorer for filtering and sorting
Parsing a Prefetch File with PECmd
To demonstrate what prefetch file analysis looks like in practice, let’s walk through the parsed output of RUBEUS.EXE-5873E24B.pf, extracted from the provided forensic artifacts. (See Question-6 for better context)
Simply run:
1
PECmd.exe -f "..\..\campfire-1\Triage\Workstation\2024-05-21T033012_triage_asset\C\Windows\prefetch\RUBEUS.EXE-5873E24B.pf"
Header Information
PECmd immediately identifies the executable name and confirms this is a Windows 10/11 prefetch file (format version 30), which means it was MAM-compressed on disk. PECmd handles the decompression transparently.
Prefetch files have a binary format that has evolved across Windows versions.
Format Versions
Version Windows Version 17 Windows XP / 2003 Version 23 Windows Vista / 7 Version 26 Windows 8 / 8.1 Version 30 Windows 10 / 11
Execution History
Two things stand out here:
- Run count of 1: Rubeus was executed exactly once - typical of an attacker who runs a tool, completes their objective, and moves on unlike legitimate software which accumulates a higher run count over time.
- Timestamp
2024-05-21 03:18:08 UTC— This is the precise moment the Kerberoasting attack was carried out, and it correlates closely with the PowerShell-ep bypassexecution I identified earlier at03:16:32 UTC(In question 5). This is 96 seconds apart, strongly suggesting Rubeus was launched as a direct result of that PowerShell session.
Directories referenced
Full Path
Looking at the Files Referenced section, entry 01 is the most critical:
1
\USERS\ALONZO.SPIRE\DOWNLOADS\RUBEUS.EXE (Executable: True)
This gives you the full path of the tool used to perform the Kerberoasting attack:
1
C:\Users\Alonzo.Spire\Downloads\Rubeus.exe
This tells you:
- It was run under the account
ALONZO.SPIREwhich is a specific user account on the workstation - It was executed directly from the Downloads folder -> not installed, just dropped and run, which is consistent with attacker behavior.
- The
Executable: Trueflag confirms this is the binary that was actually launched.
Another particularly interesting entry in the file references is:
1
\USERS\ALONZO.SPIRE\DOWNLOADS\RUBEUS.EXE:ZONE.IDENTIFIER
The Zone.Identifier is an NTFS Alternate Data Stream (ADS) that Windows automatically attaches to files downloaded from the internet.
Its presence here proves that Rubeus.exe was downloaded from an external source rather than compiled locally or copied from an internal share.
Forensically Significant DLLs Loaded
The referenced files section also reveals the libraries Rubeus loaded at runtime, several of which are highly indicative of its capabilities:
| DLL | Significance |
|---|---|
KERBEROS.DLL | Direct Kerberos ticket manipulation |
NTDSAPI.DLL | Active Directory interaction |
CRYPTDLL.DLL | Cryptographic operations (RC4/AES) |
SSPICLI.DLL | Security Support Provider — credential access |
SYSTEM.DIRECTORYSERVICES.DLL | .NET AD enumeration |
SYSTEM.DIRECTORYSERVICES.PROTOCOLS.DLL | LDAP queries against the domain |
The loading of KERBEROS.DLL alongside Active Directory and cryptographic libraries is a clear indication of Kerberoasting activity at the binary level.
Also Note The Schema Cache:
1
\USERS\ALONZO.SPIRE\APPDATA\LOCAL\MICROSOFT\WINDOWS\SCHCACHE\FORELA.LOCAL.SCH
This entry reveals that Rubeus queried and cached the Active Directory schema for the domain FORELA.LOCAL confirming it actively enumerated the domain for Service Principal Names (SPNs) to target during the attack.
References & Further Reading
- Eric Zimmerman’s Tools
- Hunting for Attacker’s Tactics and Techniques With Prefetch Files - By Group-IB
- Prefetch: The Little Snitch That Tells on You. - By TrustedSec
- A Prescription for Windows Prefetch Analysis - By SANS
- Windows Prefetch: What It Reveals and How to Analyze It - By We Investigate Anything
- Windows Forensics : Prefetch - By @omayma
- Forensic Analysis of Prefetch files in Windows - By Magnet Forensics
- Windows Forensic Analysis Poster - By SANS
- libyal/libscca - Library and tools to access the Windows Prefetch File (SCCA) format.
Solution
When you unzip the challenge files, you get the following artifacts:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
➜ tree *
Domain Controller
└── SECURITY-DC.evtx
Workstation
├── 2024-05-21T033012_triage_asset
│ └── C
│ └── Windows
│ └── prefetch
│ ├── ACE2016-KB5002138-FULLFILE-X6-F6B4ABCD.pf
│ ├── APPLICATIONFRAMEHOST.EXE-8CE9A1EE.pf
│ ├── AUDIODG.EXE-AB22E9A6.pf
│ ├── BACKGROUNDTASKHOST.EXE-F8B2DD01.pf
│ ├── CMD.EXE-0BD30981.pf
│ ├── COMPATTELRUNNER.EXE-B7A68ECC.pf
│ ├── CONHOST.EXE-0C6456FB.pf
│ ├── CONSENT.EXE-40419367.pf
│ ├── CTFMON.EXE-795F8130.pf
│ ├── DEFRAG.EXE-3D9E8D72.pf
│ ├── DLLHOST.EXE-077D6084.pf
│ ├── DLLHOST.EXE-1BAE06BB.pf
│ ├── DLLHOST.EXE-47BE07DC.pf
│ ├── DLLHOST.EXE-6F625E57.pf
│ ├── DLLHOST.EXE-7617EDA2.pf
│ ├── DLLHOST.EXE-7D5CE0CA.pf
│ ├── DLLHOST.EXE-810B6BBE.pf
// REDACTED //
Question 1
Analyzing Domain Controller Security Logs, can you confirm the date & time when the kerberoasting activity occurred?
To answer this, I analyzed the Domain Controller SECURITY Event Logs and specifically filtered for Event ID 4769 - “A Kerberos service ticket was requested.”
Kerberoasting exploits the Kerberos ticket-granting process. When an attacker targets a service account, they request a Ticket Granting Service (TGS) ticket for a registered Service Principal Name (SPN). The ticket is encrypted with the service account’s password hash, which the attacker then takes offline to crack. Event ID
4769is logged by the Domain Controller every time this request happens hencee making it the primary detection point.
As Event ID 4769 fires during normal, legitimate network operations constantly, simply finding it isn’t enough. The key is looking for the specific signature of an attack within the log entry:
1
Ticket Encryption Type = 0x17 (RC4-HMAC)
Modern Windows environments default to AES-256 (0x12) for Kerberos encryption. RC4 is outdated and weak, but attackers deliberately request or force it because RC4-encrypted hashes are significantly easier to crack offline using tools like Hashcat. A TGS request using RC4 in an environment that should be using AES is a strong indicator of Kerberoasting.
Cross-referencing 4769 with these additional Event IDs helps build a complete picture of the attack:
| Event ID | Description | Forensic Value |
|---|---|---|
| 4768 | Kerberos Authentication Ticket (TGT) requested | Reveals the initial authentication step — who logged in before the attack |
| 4769 | Kerberos Service Ticket (TGS) requested | Primary indicator — filter for Encryption Type = 0x17 |
| 4773 | Failed Kerberos service ticket request | May appear if the attacker’s script hit errors or constraints during execution |
When loading the
SECURITY-DClog into Windows Event Viewer, timestamps are automatically converted to the local system timezone. In my case, this is GMT+3, so all times displayed are 3 hours ahead of UTC. To normalize to UTC — the standard for forensic reporting — simply subtract 3 hours from any timestamp shown.
2024-05-21 03:18:09
Question 2
What is the Service Name that was targeted?
MSSQLService
Question 3
It is really important to identify the Workstation from which this activity occurred. What is the IP Address of the workstation?
172.17.79.129
Question 4
Now that we have identified the workstation, a triage including PowerShell logs and Prefetch files are provided to you for some deeper insights so we can understand how this activity occurred on the endpoint. What is the name of the file used to Enumerate Active directory objects and possibly find Kerberoastable accounts in the network?
Load Powershell-Operational.evtx file into event viewer
powerview.ps1
Question 5
When was this script executed? (UTC)
First, I identified the attacker run PowerShell scripts without being blocked by the system’s execution policy restrictions.
The highlighted row (Event ID 40961 at 6:16:29 AM) shows “PowerShell console is starting up”.
This is the event that directly corresponds to the powershell -ep bypass script block captured in in the first screenshot. Event ID 4104 is specifically the Script Block Logging event that records what was actually executed.
2024-05-21 03:16:32
Question 6
What is the full path of the tool used to perform the actual kerberoasting attack?
Use PECmd , a Prefetch parser by Eric Zimmerman.
1
.\PECmd.exe -d ..\Triage\Workstation\2024-05-21T033012_triage_asset\C\Windows\prefetch\ --csv . --csvf prefetch.csv
Once complete, you should see something like this:
Use Timeline Explorer by Eric Zimmerman to load and analyze the output.
To identify the tool used for the actual Kerberoasting attack, I searched the parsed prefetch timeline in Timeline Explorer using keywords associated with well-known Kerberoasting and Active Directory attack tools. The following tools are closely linked to Kerberoasting activity:
1
Rubeus.exe Mimikatz.exe Mimikatz.dll SharpHound.exe Invoke-Kerberoast.ps1 PowerView.ps1 GetUserSPNs.py Orpheus.py targetedKerberoast.py
Simply Ctrl+F and add in the keywords. Rubeus.exe pops up.
Drilling down on the Directories tab/Files loaded, I identified the full path
C:\USERS\ALONZO.SPIRE\DOWNLOADS\RUBEUS.EXE
Question 7
When was the tool executed to dump credentials? (UTC)
2024-05-21 03:18:08