-
The Offline Registry Library [1] provides functions for doing most registry operations, and these can be leveraged to evade certain analysis software. [2] To look for these in capa, would it make more sense to add the API calls to the existing rules in https://github.com/fireeye/capa-rules/tree/master/host-interaction/registry or should there be new rules that look for the same functionality but using the OR functions? I can think of pros and cons for both approaches... [1] https://docs.microsoft.com/en-us/windows/win32/devnotes/offline-registry-library-portal |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
My first thoughts were to add a rule that detects the use of the Offline Registry Library as this is definitely noteworthy. As the usage seems similar I'd then suggest to add the functions to the existing rules, e.g. adding |
Beta Was this translation helpful? Give feedback.
My first thoughts were to add a rule that detects the use of the Offline Registry Library as this is definitely noteworthy.
As the usage seems similar I'd then suggest to add the functions to the existing rules, e.g. adding
api: ORSetValue
to theset registry value
rule.