host-interaction/registry/delete

delete registry value

rule:
  meta:
    name: delete registry value
    namespace: host-interaction/registry/delete
    authors:
      - michael.hunhoff@mandiant.com
      - anushka.virgaonkar@mandiant.com
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Defense Evasion::Modify Registry [T1112]
    mbc:
      - Operating System::Registry::Delete Registry Value [C0036.007]
    examples:
      - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x4041A0
  features:
    - and:
      - optional:
        - match: create or open registry key
      - or:
        - api: advapi32.RegDeleteValue
        - api: advapi32.RegDeleteKeyValue
        - api: ZwDeleteValueKey
        - api: NtDeleteValueKey
        - api: RtlDeleteRegistryValue
        - api: SHDeleteValue
        - api: SHRegDeleteUSValue
        - api: Microsoft.Win32.RegistryKey::DeleteValue

last edited: 2023-11-24 10:34:28