From 231794927489f0c67a66c3d94766d96e82345c03 Mon Sep 17 00:00:00 2001
From: Matt Williams <13837569+mwilliams31@users.noreply.github.com>
Date: Thu, 3 Oct 2024 05:38:40 -0400
Subject: [PATCH] New rule: open-recentdocs-registry-key.yml (#938)

* Add rule get-process-filename.yml

---------

Co-authored-by: Moritz <mr-tz@users.noreply.github.com>
---
 .../registry/open-recentdocs-registry-key.yml | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 host-interaction/registry/open-recentdocs-registry-key.yml

diff --git a/host-interaction/registry/open-recentdocs-registry-key.yml b/host-interaction/registry/open-recentdocs-registry-key.yml
new file mode 100644
index 00000000..3a3527c8
--- /dev/null
+++ b/host-interaction/registry/open-recentdocs-registry-key.yml
@@ -0,0 +1,21 @@
+rule:
+  meta:
+    name: open RecentDocs registry key
+    namespace: host-interaction/registry
+    authors:
+      - matthew.williams@mandiant.com
+    description: In the example sample, a RecentDocs registry value was leveraged for anti-sandbox purposes. See the referenced Palo Alto blog for details.
+    scopes:
+      static: basic block
+      dynamic: call
+    mbc:
+      - Operating System::Registry::Open Registry Key [C0036.003]
+    references:
+      - https://www.magnetforensics.com/blog/what-is-mru-most-recently-used/
+      - https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
+    examples:
+      - 86d8257ae56e5d8220a4e3f8396d944b5e9e41732b58ad7472276d78aea232fa_min_archive.zip
+  features:
+    - and:
+      - match: create or open registry key
+      - string: /SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs/i