disable System Restore features via registry on Windows

rule:
  meta:
    name: disable System Restore features via registry on Windows
    namespace: impact/features
    authors:
      - mehunhoff@google.com
    scopes:
      static: function
      dynamic: span of calls
    att&ck:
      - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001]
    mbc:
      - Defense Evasion::Disable or Evade Security Tools [F0004]
  features:
    - and:
      - match: set registry value
      - string: /SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore/i
      - or:
        - string: /DisableSR/i
        - string: /DisableConfig/i