-
Notifications
You must be signed in to change notification settings - Fork 164
/
create-or-open-registry-key.yml
45 lines (45 loc) · 1.53 KB
/
create-or-open-registry-key.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
rule:
meta:
name: create or open registry key
authors:
- michael.hunhoff@mandiant.com
- anushka.virgaonkar@mandiant.com
lib: true
scopes:
static: basic block
dynamic: call
mbc:
- Operating System::Registry::Create Registry Key [C0036.004]
- Operating System::Registry::Open Registry Key [C0036.003]
examples:
- Practical Malware Analysis Lab 03-02.dll_:0x10004706
- Practical Malware Analysis Lab 11-01.exe_:0x401000
- 493167E85E45363D09495D0841C30648:0x404D60
- B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x4045F2
- B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x40433E
- 692f7fd6d198e804d6af98eb9e390d61:0x6000003
features:
- or:
- api: advapi32.RegOpenKey
- api: advapi32.RegOpenKeyEx
- api: advapi32.RegCreateKey
- api: advapi32.RegCreateKeyEx
- api: advapi32.RegOpenCurrentUser
- api: advapi32.RegOpenKeyTransacted
- api: advapi32.RegOpenUserClassesRoot
- api: advapi32.RegCreateKeyTransacted
- api: ZwOpenKey
- api: ZwOpenKeyEx
- api: ZwCreateKey
- api: ZwOpenKeyTransacted
- api: ZwOpenKeyTransactedEx
- api: ZwCreateKeyTransacted
- api: NtOpenKey
- api: NtCreateKey
- api: SHRegOpenUSKey
- api: SHRegCreateUSKey
- api: RtlCreateRegistryKey
- api: Microsoft.Win32.RegistryKey::OpenSubKey
- api: Microsoft.Win32.RegistryKey::OpenBaseKey
- api: Microsoft.Win32.RegistryKey::OpenRemoteBaseKey
- api: Microsoft.Win32.RegistryKey::CreateSubKey