WordWheelQuery
WordWheelQuery maintains searches performed through the Explorer search dialog.
Analysis
WordWheelQuery is tied to individual user profiles and can be located inside an individual user's NTUSER.DAT hive:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery\
The following is information is generally available for each WordWheelQuery value * Query performed * MRU position
The values under the key maintain a list of the search queries performed, where MRU position 0 represents the most recent query.
The data for each value is of type REG_BINARY and contains the search query string.
The LastWriteTime of the WordWheelQuery key represents the timestamp of the most recent search query was performed (i.e., MRU position 0)
Investigation Considerations
WordWheelQuery can support assertions that the user searched for a particular string.
Threat actors with interactive sessions may leverage this Windows feature to search the filesystem for sensitive files. Such as plaintext credentials (e.g., passwords.txt), certificates (e.g., .pem, .pfx), or to identify files of interest for exfiltration.
In addition, this registry-based artifact may also help determine intent, assist in performing impact assessments, and provide leads for determining additional access.