TypedURLs

Overview

Evidence: TypedURLs Description: Enumerate TypedURLs Category: Registry Platform: Windows Short Name: typedurls Is Parsed: Yes - Registry data parsed with timestamps Sent to Investigation Hub: Yes Collect File(s): No

Background

Internet Explorer maintains a list of URLs that users manually type into the address bar (as opposed to clicking links). This registry artifact provides evidence of deliberate navigation to specific websites and can indicate user intent or knowledge.

TypedURLs are stored in the user's registry hive along with optional timestamp information in the TypedURLsTime key (Windows 7+).

Data Collected

Collection Method

This collector:

• Collects user registry hives (ntuser.dat)

• Searches for: Software\Microsoft\Internet Explorer\TypedURLs

• Reads URL values (url1, url2, etc.)

• Reads corresponding timestamps from TypedURLsTime key (if available)

• Converts FILETIME values to readable timestamps

Usage

Typed URLs reveal deliberate user navigation and can indicate intent or knowledge. Investigators use this data to identify manually entered malicious URLs, detect phishing site visits, prove user knowledge of specific websites, track direct navigation to C2 infrastructure, establish user intent through URL typing, and correlate with browser history and downloads.

Known Limitations

• Only tracks Internet Explorer/Edge (non-Chromium)

• Limited to most recent typed URLs (typically ~25)

• Timestamps only available on Windows 7+

• Can be cleared through browser settings

• Doesn't capture URLs from links or favorites

• Not populated if user doesn't use IE/Edge

Notes

Typed URLs indicate more deliberate action than clicked links. The presence of suspicious URLs in TypedURLs suggests user intent rather than accidental navigation through phishing.