query or enumerate registry key

rule:
  meta:
    name: query or enumerate registry key
    namespace: host-interaction/registry
    authors:
      - michael.hunhoff@mandiant.com
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Discovery::Query Registry [T1012]
    mbc:
      - Operating System::Registry::Query Registry Key [C0036.005]
    examples:
      - 493167E85E45363D09495D0841C30648:0x404930
      - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x402608
  features:
    - and:
      - optional:
        - match: create or open registry key
      - or:
        - api: advapi32.RegEnumKey
        - api: advapi32.RegEnumKeyEx
        - api: advapi32.RegQueryInfoKeyA
        - api: ZwQueryKey
        - api: ZwEnumerateKey
        - api: NtQueryKey
        - api: NtEnumerateKey
        - api: RtlCheckRegistryKey
        - api: SHEnumKeyEx
        - api: SHQueryInfoKey
        - api: SHRegEnumUSKey
        - api: SHRegQueryInfoUSKey
        - api: Microsoft.Win32.RegistryKey::GetSubKeyNames
        - api: Microsoft.Win32.RegistryKey::OpenBaseKey
        - api: Microsoft.Win32.RegistryKey::OpenRemoteBaseKey
        - api: Microsoft.Win32.RegistryKey::OpenSubKey