query or enumerate registry value

rule:
  meta:
    name: query or enumerate registry value
    namespace: host-interaction/registry
    authors:
      - william.ballenthin@mandiant.com
      - michael.hunhoff@mandiant.com
      - anushka.virgaonkar@mandiant.com
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Discovery::Query Registry [T1012]
    mbc:
      - Operating System::Registry::Query Registry Value [C0036.006]
    examples:
      - BFB9B5391A13D0AFD787E87AB90F14F5:0x13145B5A
      - Practical Malware Analysis Lab 03-02.dll_:0x100047AD
  features:
    - and:
      - optional:
        - match: create or open registry key
      - or:
        - api: advapi32.RegGetValue
        - api: advapi32.RegEnumValue
        - api: advapi32.RegQueryValue
        - api: advapi32.RegQueryValueEx
        - api: advapi32.RegQueryMultipleValues
        - api: ZwQueryValueKey
        - api: ZwEnumerateValueKey
        - api: NtQueryValueKey
        - api: NtEnumerateValueKey
        - api: RtlQueryRegistryValues
        - api: SHGetValue
        - api: SHEnumValue
        - api: SHRegGetInt
        - api: SHRegGetPath
        - api: SHRegGetValue
        - api: SHQueryValueEx
        - api: SHRegGetUSValue
        - api: SHOpenRegStream
        - api: SHRegEnumUSValue
        - api: SHOpenRegStream2
        - api: SHRegQueryUSValue
        - api: SHRegGetBoolUSValue
        - api: SHRegGetValueFromHKCUHKLM
        - api: SHRegGetBoolValueFromHKCUHKLM
        - api: Microsoft.Win32.RegistryKey::GetValue
        - api: Microsoft.Win32.RegistryKey::GetValueKind
        - api: Microsoft.Win32.RegistryKey::GetValueNames
        - api: Microsoft.Win32.Registry::GetValue