set registry value

rule:
  meta:
    name: set registry value
    namespace: host-interaction/registry/create
    authors:
      - moritz.raabe@mandiant.com
      - michael.hunhoff@mandiant.com
    scopes:
      static: function
      dynamic: thread
    mbc:
      - Operating System::Registry::Set Registry Key [C0036.001]
    examples:
      - BFB9B5391A13D0AFD787E87AB90F14F5:0x13147AF0
      - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x40433E
      - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x40415E
      - 98c37c3c23bbfb362dac7754c6ba48e75cf24d73bc963a4cdfca557b9e016909:0x40294D
  features:
    - or:
      - and:
        - optional:
          - match: create or open registry key
        - or:
          - api: advapi32.RegSetValue
          - api: advapi32.RegSetValueEx
          - api: advapi32.RegSetKeyValue
          - api: ZwSetValueKey
          - api: NtSetValueKey
          - api: RtlWriteRegistryValue
          - api: SHSetValue
          - api: SHRegSetPath
          - api: SHRegSetValue
          - api: SHRegSetUSValue
          - api: SHRegWriteUSValue
          - api: Microsoft.Win32.RegistryKey::SetValue
          - api: Microsoft.Win32.Registry::SetValue
      - and:
        - match: host-interaction/process/create
        - string: "/add/i"
        - or:
          - string: "/reg(|.exe)/i"
          - string: "/hklm/i"
          - string: "/HKEY_LOCAL_MACHINE/i"
          - string: "/hkcu/i"
          - string: "/HKEY_CURRENT_USER/i"