$ target-query <path/to/target> -f trusteddocs




Module documentation

Plugin to obtain Microsoft Office Trusted Document registry keys.

Function documentation

Return Microsoft Office TrustRecords registry keys for all Office applications.

Microsoft uses Trusted Documents to cache whether the user enabled the editing and/or macros for that document. Therefore, this may reveal if macros have been enabled for a malicious Office document.

Yields records based on the values within the TrustRecords registry keys. At least contains the following fields:

application (string): Application name of the Office product that produced the TrustRecords registry key. document_path (path): Path to the document for which a TrustRecords entry is created. ts (datetime): The created time of the TrustRecord registry key. type (varint): Type of the value within the TrustRecords registry key. value (bytes): Value of the TrustRecords entry, which contains the information whether macros are enabled.