Windows.Office.MRU :: Velociraptor

Windows.Office.MRU

This artifact enables hunting for recently used Office Documents.

The artifact takes a Registry path, and extracts the Most Recently Used (= MRU) files list from Microsoft Office products (i.e.: Word, Excel, Powerpoint).


name: Windows.Office.MRU
author: "Yaron King - @Sam0rai"
description: |
   This artifact enables hunting for recently used Office Documents.

   The artifact takes a Registry path, and extracts the Most Recently Used (= MRU) files list from Microsoft Office products (i.e.: Word, Excel, Powerpoint).

type: CLIENT

precondition:
  SELECT * FROM info() where OS = 'windows'

parameters:
  - name: OfficeMRU_RegistryGlob
    description: Registry path glob for Microsoft Office's MRU list.
    default: HKEY_USERS\S-1-5-21-*\Software\Microsoft\Office\1{4,5,6}.0\{Word,Excel,PowerPoint}\User MRU\*\File MRU\Item*

sources:
  - query: |
        Let OfficeMRU_RegistryGlob = '''HKEY_USERS\S-1-5-21-*\Software\Microsoft\Office\1{4,5,6}.0\{Word,Excel,PowerPoint}\User MRU\*\File MRU\Item*'''

        SELECT
            timestamp(winfiletime=int(int="0x" + parse_string_with_regex(string=Data.value, regex=['\\[T(?P<timestamp>\\w\+)']).timestamp)) as Timestamp,
            lookupSID(sid=(split(string=FullPath, sep='\\\\'))[2]) as SAMaccountname,
            (split(string=FullPath, sep='\\\\'))[7] as FileType, (split(string=Data.value, sep='\\*'))[1] as Path
        FROM
            glob(globs=OfficeMRU_RegistryGlob, accessor='reg')