The RunMRU (Most Recently Used) registry is a key component of the Microsoft Windows operating system, storing information about the most recently executed applications and documents. This information is used to populate the "Recent Items" list in the Start menu, as well as for application compatibility purposes.
While the RunMRU registry serves a useful purpose for end users, it also presents a potential security risk if not properly managed. In this blog post, we will discuss the normal use case for the RunMRU registry, as well as several examples of malicious use of the RunMRU registry. We will also provide links to additional resources for further study, including a white paper on the RunMRU registry and a SANS poster with proof of execution.
Finding the RunMRU Registry
The registry entries within this key contain the full path to the recently executed applications and documents, as well as the order in which they were executed.
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
The RunMRU registry is located in the Windows registry under the key " HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU". It can be viewed and modified using the Registry Editor (regedit.exe) in Windows.
Normal Use Case
This information is used to populate the "Recent Items" list in the Start menu, making it easy for users to quickly access recently used files. The RunMRU registry is also used for application compatibility purposes, as older applications may not be able to run correctly on modern versions of Windows without the information stored in the RunMRU registry.
Malicious Use Case
While the RunMRU registry serves a useful purpose for end users, it can also be used by attackers to gain insight into the activities of an infected system. For example, attackers can use the RunMRU registry to determine which applications and documents have been recently executed on a system, potentially exposing sensitive information or identifying targets for further attack.
Additionally, attackers can use the RunMRU registry to persistently execute malicious code on a system. By adding a malicious file to the RunMRU registry, attackers can ensure that their code will be executed every time the system is started. This can be especially dangerous in the case of system-level infections, where the malicious code will run with elevated privileges and have full access to the system.
Conclusion
The RunMRU registry is an important component of the Microsoft Windows operating system, storing information about the most recently executed applications and documents. While the RunMRU registry serves a useful purpose for end users, it also presents a potential security risk if not properly managed. In this blog post, we have discussed the normal use
For proof of execution of malicious activity related to the RunMRU registry, we recommend viewing the SANS poster "RunMRU Registry Key: Proof of Execution". This poster can be found at the following link:
Post a Comment