From 4b5faf196b1218f4cd118de17b2b1e072eb6e6f0 Mon Sep 17 00:00:00 2001
From: Christian Studer <christian.studer@circl.lu>
Date: Wed, 1 Mar 2023 20:50:30 +0100
Subject: [PATCH] add: [registry-key-value] New template to describe registry
 key values

- The `registry-key` object template includes
  already the `data`, `data-type` & `name` fields
  of a registry key value, but there is a
  limitation in the case of multiple registry key
  values
- In order to describe multiple registry key
  values, instead of adding a simple `multiple`
  field to the related and above mentioned fields,
  it is better to use the `registry-key-value`
  template so we know which data, data type and
  name values are related to a given registry key
  value
- It is then possible to have a reference between
  the registry key object and the related values
---
 README.md                                  |  1 +
 objects/registry-key-value/definition.json | 53 ++++++++++++++++++++++
 2 files changed, 54 insertions(+)
 create mode 100644 objects/registry-key-value/definition.json

diff --git a/README.md b/README.md
index c3617cc..6f53d34 100644
--- a/README.md
+++ b/README.md
@@ -315,6 +315,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
 - [objects/reddit-subreddit](https://github.com/MISP/misp-objects/blob/main/objects/reddit-subreddit/definition.json) - Public or private subreddit.
 - [objects/regexp](https://github.com/MISP/misp-objects/blob/main/objects/regexp/definition.json) - An object describing a regular expression (regex or regexp). The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a regular expression.
 - [objects/registry-key](https://github.com/MISP/misp-objects/blob/main/objects/registry-key/definition.json) - Registry key object describing a Windows registry key with value and last-modified timestamp.
+- [objects/registry-key-value](https://github.com/MISP/misp-objects/blob/main/objects/registry-key-value/definition.json) - Registry key value object describing a Windows registry key value with its data, data type and name, to be used when a registry key has multiple values
 - [objects/regripper-NTUser](https://github.com/MISP/misp-objects/blob/main/objects/regripper-NTUser/definition.json) - Regripper Object template designed to present user specific configuration details extracted from the NTUSER.dat hive.
 - [objects/regripper-sam-hive-single-user](https://github.com/MISP/misp-objects/blob/main/objects/regripper-sam-hive-single-user/definition.json) - Regripper Object template designed to present user profile details extracted from the SAM hive.
 - [objects/regripper-sam-hive-user-group](https://github.com/MISP/misp-objects/blob/main/objects/regripper-sam-hive-user-group/definition.json) - Regripper Object template designed to present group profile details extracted from the SAM hive.
diff --git a/objects/registry-key-value/definition.json b/objects/registry-key-value/definition.json
new file mode 100644
index 0000000..daf1f05
--- /dev/null
+++ b/objects/registry-key-value/definition.json
@@ -0,0 +1,53 @@
+{
+  "attributes": {
+    "data": {
+      "categories": [
+        "Persistence mechanism"
+      ],
+      "description": "Data stored in the registry key value",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "data-type": {
+      "categories": [
+        "Persistence mechanism"
+      ],
+      "description": "Registry key value type",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "sane_default": [
+        "REG_NONE",
+        "REG_SZ",
+        "REG_EXPAND_SZ",
+        "REG_BINARY",
+        "REG_DWORD",
+        "REG_DWORD_LITTLE_ENDIAN",
+        "REG_DWORD_BIG_ENDIAN",
+        "REG_LINK",
+        "REG_MULTI_SZ",
+        "REG_RESOURCE_LIST",
+        "REG_FULL_RESOURCE_DESCRIPTOR",
+        "REG_RESOURCE_REQUIREMENTS_LIST",
+        "REG_QWORD",
+        "REG_QWORD_LITTLE_ENDIAN"
+      ],
+      "ui-priority": 0
+    },
+    "name": {
+      "categories": [
+        "Persistence mechanism"
+      ],
+      "description": "Name of the registry key value",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    }
+  },
+  "description": "Registry key value object describing a Windows registry key value, with its data, data type and name values. To be used when a registry key has multiple values.",
+  "meta-category": "file",
+  "name": "registry-key-value",
+  "requiredOneOf": [
+    "data"
+  ],
+  "uuid": "4626a273-72c1-48d3-8595-ff48ea2277f7",
+  "version": 1
+}
\ No newline at end of file