TypedURLs
Overview
Section titled “Overview”Evidence: TypedURLs
Description: Enumerate TypedURLs
Category: System
Platform: windows
Short Name: typedurls
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Internet Explorer maintains a list of URLs that users manually type into the address bar (as opposed to clicking links). This registry artifact provides evidence of deliberate navigation to specific websites and can indicate user intent or knowledge.
TypedURLs are stored in the user’s registry hive along with optional timestamp information in the TypedURLsTime key (Windows 7+).
Data Collected
Section titled “Data Collected”This collector gathers structured data about typedurls.
TypedURLs Data
Section titled “TypedURLs Data”| Field | Description | Example |
|---|---|---|
URL | Typed URL | https://www.example.com |
AccessTime | When URL was typed (if available) | 2023-10-15T14:30:00 |
Username | User account name | user |
KeyPath | Registry key path | Software\Microsoft\Internet Explorer\TypedURLs |
LastWriteTime | Registry key last write time | 2023-10-15T14:30:00 |
RegPath | Path to registry hive | Registry/ntuser.dat |
Collection Method
Section titled “Collection Method”This collector:
- Collects user registry hives (ntuser.dat)
- Searches for:
Software\Microsoft\Internet Explorer\TypedURLs - Reads URL values (url1, url2, etc.)
- Reads corresponding timestamps from
TypedURLsTimekey (if available) - Converts FILETIME values to readable timestamps
Forensic Value
Section titled “Forensic Value”Typed URLs reveal deliberate user navigation and can indicate intent or knowledge. Investigators use this data to identify manually entered malicious URLs, detect phishing site visits, prove user knowledge of specific websites, track direct navigation to C2 infrastructure, establish user intent through URL typing, and correlate with browser history and downloads.