Registry micro-behavior

[RazviOverflow]

Hello.

I am implementing a C++ corpus of behavior examples and I am using MBC as reference. I have a question about a specific Registry Micro-behavior. Specifically, about Set Registry Key | C0036.001.

I would like to know what does "setting a registry key" actually imply. How is it any different from Create Registry Key | C0036.004?

In fact, taking a look at the examples of malware use, none of them matches C0036.001.

Thank you.

P.S: I am not quite sure this discussion belongs here. If not, feel free to move it to its corresponding discussion/issue thread.

[williballenthin]

I suspect that C0036.001 should probably be "Set Registry Value" since a Registry key doesn't have any associated value to manipulate or "set" (well, it has the default value, I suppose, but that's an edge case).

With this in mind, I'd imagine:

• Create Registry Key | C0036.004 -> RegCreateKey*
• Set Registry Key/Value | C0036.001 -> RegSetValue*

[RazviOverflow]

That's what I thought as well, but wanted to confirm it. In fact, the default value of a registry key is a value per se (at least in terms of nowadays registry terminology).

I think that:

1. Set Registry Key/Value | C0036.001 should become Set Registry Value data | C0036.001.
2. Maybe a new micro-behavior to be considered Create Registry Value | C0036.007, given that a value name can be created for a certain key and left empty (no value set). In other words, creating a registry value does not necessarily imply assigning a value data to it.

[dzbeck]

Thanks @RazviOverflow for pointing out this issue, and thanks @williballenthin for the links/fix. Looking at winreg.h, RegCreateKey and RegSetKeyValue/RegSetValue functions are defined, but not "RegCreateValue" functions. So, how about (Willi's suggestion):

Create Registry Key | C0036.004 | Malware creates a registry key.
Set Registry Key Value (add "Value") | C0036.001 | Malware sets the data of a value in a registry key.

Or should the second instead be "Set Registry Value" (no "Key")?

[RazviOverflow]

In my opinion, in order to be precise and follow Microsoft's terminology, keys and values shouldn't be mixed because the latter implies the existence of the former. As it is stated in the Structure of the Registry: "The data is structured in a tree format. Each node in the tree is called a key. Each key can contain both subkeys and data entries called values.". What is more, in the Registry element size limits, they define just 4 types of Registry elements:

• Key name
• Value name
• Value (this is also referred to as value data in other docs)
• Tree

There isn't even the notion of subkey given that a subkey is nothing but a key inside another one.

In other words, when we talk about a value, we are implicitly assuming the existence of a key containing it because that's how the Registry works, so (from my point of view) there is no such thing as key value. Rather, I'd say a key can contain 1+ values (assuming the existence of the default value).

The function RegSetKeyValue can be misleading in its name, but it "Sets the value data for the specified value name in the specified registry key and subkey."

Or should the second instead be "Set Registry Value" (no "Key")?

My take is "Set Registry Value", without "Key".

[dzbeck]

Thanks @RazviOverflow - that makes sense. I'll make the change "Set Registry Key" to "Set Registry Value" for C0036.001.

[RazviOverflow]

Glad to help :)