#####aid_begin
#description: registry scan for mru (most recently run) info for all users
#id: aid2201202337
#processtype: query
#category: registry
#sourcelink: <na>
#tacticidlist: <na>
#techniqueidlist: <na>
#compatibleos: |-
#  windows 7
#  windows 8.*
#  windows 10
#  windows 11
#  windows server 2008 r2
#  windows server 2012
#  windows server 2012 r2
#  windows server 2016
#  windows server 2019
#compatibleengine: |-
#  powershell 2
#  powershell 3
#  powershell 4
#  powershell 5.*
#  powershell 7.*
#bgcommandlist: |-
#  invoke-loadallprofilehives
#  get-bgloadedreghives
#  get-bgmruactivityview
#  invoke-bgunloadallprofilehives
#notes: |-
#  1) load all registry hives for all users
#  2) query all loaded registry hives
#  3) query the most populated mru registry keys
#      o 'hkey_current_user\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedpidlmru'
#      o 'hkey_current_user\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedpidlmrulegacy'
#      o 'hkey_current_user\software\microsoft\windows\currentversion\explorer\comdlg32\firstfolder'
#      o 'hkey_current_user\software\microsoft\windows\currentversion\explorer\runmru'
#      o 'hkey_current_user\software\ivosoft\classicstartmenu\mru'
#      o 'hkey_current_user\software\microsoft\windows\currentversion\explorer\recentdocs'
#  4) unload all registry hives that were loaded on the first call
#####aid_end
commands:
- Invoke-LoadAllProfileHives
- Get-BGLoadedRegHives
- Get-BGMRUActivityView
postcommands:
-  Invoke-BGUnLoadAllProfileHives