Description: The userassist registry tracks what programs have been executed within Windows Explorer by the user. Using osquery we can now expose that information.
SQL:
SELECT u.username, u.description, u.shell, u.type,
a.path, DATETIME(a.last_execution_time,"unixepoch","localtime") AS 'last_execution_time',
DATE(a.last_execution_time,"unixepoch","localtime") AS 'last_execution_date',
a.count
FROM users u CROSS JOIN userassist a ON a.sid = u.uuid
WHERE last_execution_date > DATE('now', '-1 days');
Operating Systems: Windows Only
#explorer #hacker