What is the Microsoft Office MRU Registry Artifact?

Cyber Triage Artifact Catalog

Published on December 7, 2022
Last updated on December 22, 2022

Watch Video

or continue reading below

What is an Office MRU Registry Artifact?

This registry-based artifact stores references to Microsoft Office files accessed by a user. There is a similar file-based artifact. 

It is in the “Data Accessed” category, which stores what files a user opened. 

Why does the Office MRU exist?

It exists so that Office applications can show users a list of recently opened files. The user can then pick from this list instead of navigating to the folder in which it is stored. MRU stands for “Most Recently Used.” 

How is an Office MRU useful in DFIR?

It is useful to a DFIR investigator because it can show what documents the user was recently focused on:

  • In an intrusion case with an account takeover, this list could show what documents the attacker was interested in. 
  • For an insider threat case, it can show what kinds of documents the user wanted to steal. 
  • In a general investigation, knowing what documents the user recently opened can reveal what they used the computer for.

It can also list file paths and times for files that have since been deleted or were on a removable drive. 

Where Do You Find an Office MRU?

The Office MRU data is stored in a User’s NTUSER.DAT registry hive.  Each Office application and version has its list. For example, here is a path for Word 2016: 

      HKCU\SOFTWARE\Microsoft\Office\16.0\Word\

Within this key, several sub-keys are relevant:

  • File MRU – Files recently opened
  • Place MRU – Folders recently used to open/save
  • User MRU – Contains files and folders recently used when an online Microsoft account was used. 

What does an Office MRU contain?

The registry key contains a list of file names and metadata. The list is sorted, and the first element was the most recently opened.  Each entry also contains when it was last opened. 

In the above example, there are two documents in the list. The second field, “[T01D89D2B76DE8A00]” is a time stamp. 

  • Hex 0x01D89D2B76DE8A00 converts to 133028999010880000
  • That converts to “Thu, 21 Jul 2022 17:58:21 GMT” using a Windows time converter

Where Can You See Office MRUs in Cyber Triage?

In Cyber Triage, you can find the Office MRU contents in the “Data Accessed” section. 

This section shows files that a user opened or saved. You can look at the Source Info section to see if the item came from an Office MRU key or another artifact. 

How Does Cyber Triage Score an Office MRU?

Cyber Triage will score Office MRU files as suspicious if they have malware characteristics. For example, an Office document with a macro running when the document is opened would get flagged. 

References

FacebookTwitterLinkedInReddit

Watch instead

Artifact Series

What is a Windows OpenSave MRU Artifact Hero

How Windows OpenSave MRU Artifacts Can Be Useful In Incident Response