delete registry key

rule:
  meta:
    name: delete registry key
    namespace: host-interaction/registry/delete
    authors:
      - moritz.raabe@mandiant.com
      - michael.hunhoff@mandiant.com
      - johnk3r
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Defense Evasion::Modify Registry [T1112]
    mbc:
      - Operating System::Registry::Delete Registry Key [C0036.002]
    examples:
      - 4f11bdb380dafa2518053c6d20147a05:0x402A36
      - 493167E85E45363D09495D0841C30648:0x404D60
  features:
    - and:
      - optional:
        - match: create or open registry key
      - or:
        - api: advapi32.RegDeleteKey
        - api: advapi32.RegDeleteTree
        - api: advapi32.RegDeleteKeyEx
        - api: advapi32.RegDeleteKeyTransacted
        - api: ZwDeleteKey
        - api: NtDeleteKey
        - api: SHDeleteKey
        - api: SHDeleteEmptyKey
        - api: SHRegDeleteEmptyUSKey
        - api: Microsoft.Win32.RegistryKey::DeleteSubKey
        - api: Microsoft.Win32.RegistryKey::DeleteSubKeyTree