Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for Office MRU (most recently used) entries #6587

Merged
merged 17 commits into from
Sep 13, 2020
Merged

Support for Office MRU (most recently used) entries #6587

merged 17 commits into from
Sep 13, 2020

Conversation

puffyCid
Copy link
Contributor

This PR adds support for parsing Windows Office and Office365 MRU entries.
These entries contain recently opened Office documents as well as the time the document was last opened.
Sample query below:

osquery> select * from office_most_recently_used;
+-------------+---------+--------------------------------------------+------------------+-----------------------------------------------+
| application | version | path                                       | last_opened_time | sid                                           |
+-------------+---------+--------------------------------------------+------------------+-----------------------------------------------+
| Access      | 16.0    | C:\Users\bob\Documents\Database1.accdb     | 1593373538       | S-1-5-21-1079689790-2336414676-942872339-1001 |
| Excel       | 16.0    | C:\Users\bob\Desktop\Sensitive_Info.xlsx   | 1593379329       | S-1-5-21-1079689790-2336414676-942872339-1001 |
| Excel       | 16.0    | C:\Users\bob\Desktop\Book1.xlsm            | 1593372755       | S-1-5-21-1079689790-2336414676-942872339-1001 |
| OneNote     | 16.0    | C:\Users\bob\Desktop\notes                 | 1593373799       | S-1-5-21-1079689790-2336414676-942872339-1001 |
| Publisher   | 16.0    | C:\Users\bob\Desktop\Publication1.pub      | 1593373586       | S-1-5-21-1079689790-2336414676-942872339-1001 |
| Word        | 16.0    | C:\Users\bob\Desktop\TotallyNotAPhish.docx | 1593372691       | S-1-5-21-1079689790-2336414676-942872339-1001 |
| Word        | 16.0    | C:\Users\bob\Desktop\Invoice.docx          | 1593372650       | S-1-5-21-1079689790-2336414676-942872339-1001 |
| Word        | 16.0    | C:\Users\bob\Desktop\Doc1.docx             | 1593368137       | S-1-5-21-1079689790-2336414676-942872339-1001 |
| Word        | 16.0    | C:\Users\bob\Desktop\testing.docx          | 1593366081       | S-1-5-21-1079689790-2336414676-942872339-1001 |
+-------------+---------+--------------------------------------------+------------------+-----------------------------------------------+

Let me know if there are any issues that need to be fixed

@puffyCid puffyCid changed the title Add Office MRU (most recently used) table Support for Office MRU (most recently used) entries Aug 10, 2020
theopolis
theopolis requested changes Sep 1, 2020
View reviewed changes
Copy link
Member

@theopolis theopolis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think in this case we can call this office_mru since the mru abbreviation is common enough. What do you think? Do people usually refer to this data as "MRU"?

osquery/tables/applications/windows/office_most_recently_used.cpp Outdated Show resolved Hide resolved
osquery/tables/applications/windows/office_most_recently_used.cpp Outdated Show resolved Hide resolved
@theopolis theopolis force-pushed the office_mru branch 2 times, most recently from 50ce5a3 to 49ea512 Compare September 11, 2020 18:16
@theopolis
Copy link
Member

Hey @puffyCid, I made some changes, do you mind checking if the table still works? I do not have office installed and my Windows VM is a little flaky.

@puffyCid
Copy link
Contributor Author

puffyCid commented Sep 12, 2020
edited

thanks @theopolis for the changes. i pulled the changes, re-compiled osquery, and the table still works.
Thanks!

@directionless directionless added this to the 4.6.0 milestone Sep 13, 2020
@theopolis theopolis merged commit bd54563 into osquery:master Sep 13, 2020
@puffyCid puffyCid deleted the office_mru branch February 11, 2021 23:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@directionless directionless directionless left review comments

@theopolis theopolis theopolis approved these changes

Assignees
No one assigned
Labels
virtual tables Windows
Projects
None yet
Milestone
4.6.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@puffyCid @theopolis @directionless