{ "requiredOneOf": [ "key", "name", "data" ], "attributes": { "last-modified": { "description": "Last time the registry key has been modified", "categories": [ "Other" ], "ui-priority": 0, "misp-attribute": "datetime" }, "data-type": { "description": "Registry value type", "categories": [ "Persistence mechanism" ], "sane_default": [ "REG_NONE", "REG_SZ", "REG_EXPAND_SZ", "REG_BINARY", "REG_DWORD", "REG_DWORD_LITTLE_ENDIAN", "REG_DWORD_BIG_ENDIAN", "REG_LINK", "REG_MULTI_SZ", "REG_RESOURCE_LIST", "REG_FULL_RESOURCE_DESCRIPTOR", "REG_RESOURCE_REQUIREMENTS_LIST", "REG_QWORD", "REG_QWORD_LITTLE_ENDIAN" ], "ui-priority": 0, "disable_correlation": true, "misp-attribute": "text" }, "data": { "description": "Data stored in the registry key", "categories": [ "Persistence mechanism" ], "ui-priority": 1, "misp-attribute": "text" }, "name": { "description": "Name of the registry key", "categories": [ "Persistence mechanism" ], "ui-priority": 1, "misp-attribute": "text" }, "key": { "description": "Full key path", "categories": [ "Persistence mechanism" ], "ui-priority": 1, "misp-attribute": "regkey" }, "hive": { "description": "Hive used to store the registry key (file on disk)", "categories": [ "Persistence mechanism" ], "ui-priority": 1, "disable_correlation": true, "misp-attribute": "text" }, "root-keys": { "description": "Root key of the Windows registry (extracted from the key)", "sane_default": [ "HKCC", "HKCR", "HKCU", "HKDD", "HKEY_CLASSES_ROOT", "HKEY_CURRENT_CONFIG", "HKEY_CURRENT_USER", "HKEY_DYN_DATA", "HKEY_LOCAL_MACHINE", "HKEY_PERFORMANCE_DATA", "HKEY_USERS", "HKLM", "HKPD", "HKU" ], "ui-priority": 0, "misp-attribute": "text", "disable_correlation": true } }, "version": 4, "description": "Registry key object describing a Windows registry key with value and last-modified timestamp", "meta-category": "file", "uuid": "8b3228ad-6d82-4fe6-b2ae-05426308f1d5", "name": "registry-key" }