Why use 'or' for 'set registry value' instead of 'and'?

[jorik-utwente]

Many persistence rules that involve writing to the registry use a pattern similar to:

- and:
  - or:
    - match: set registry value
    - number: 0x80000001 = HKEY_CURRENT_USER
    - number: 0x80000002 = HKEY_LOCAL_MACHINE
 ...

Does this not result in false positives when reading registry values?

I would expect the pattern to look like this:

- and:
  - match: set registry value
  - or:
    - number: 0x80000001 = HKEY_CURRENT_USER
    - number: 0x80000002 = HKEY_LOCAL_MACHINE
 ...

Example here: https://github.com/mandiant/capa-rules/blob/master/persistence/registry/run/persist-via-run-registry-key.yml
To my understanding, reading the registry key from e.g. Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\load will result in a false positive. Or am I missing something?

Thanks!

[williballenthin]

my guess is that @mr-tz is trying to account for indirect calls to SetRegValue (that we can't resolve) but can still sort of recognize by the hive constants.

still seems like it might FP though. have you seen this happen? i wonder if we can find an example.

can you shed any insight @mr-tz ?

[mr-tz]

yes, what Willi said

happy to adjust if you have any examples of FPs

[jorik-utwente]

Thanks! I haven't seen any FPs yet, but I will let you know if I do.