Registry
Fields related to Windows Registry operations.
Fields
Field Summary
| Field | Type | Level | Description |
|---|---|---|---|
registry.data.bytes | keyword | Extended | Original bytes written with base64 encoding. |
registry.data.strings | wildcard | Core | List of strings representing what was written to the registry. |
registry.data.type | keyword | Core | Standard registry type for encoding contents |
registry.hive | keyword | Core | Abbreviated name for the hive. |
registry.key | keyword | Core | Hive-relative path of keys. |
registry.path | keyword | Core | Full path, including hive, key and value |
registry.value | keyword | Core | Name of the value written. |
Field Details
registry.data.bytes
Type: keyword
Level: Extended
Description: Original bytes written with base64 encoding.
Example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA=
Indexed: true
registry.data.strings
Type: wildcard
Level: Core
Description: List of strings representing what was written to the registry.
Example: ["C:\rta\red_ttp\bin\myapp.exe"]
Normalization: array
Indexed: true
registry.data.type
Type: keyword
Level: Core
Description: Standard registry type for encoding contents
Example: REG_SZ
Indexed: true
registry.hive
Type: keyword
Level: Core
Description: Abbreviated name for the hive.
Example: HKLM
Indexed: true
registry.key
Type: keyword
Level: Core
Description: Hive-relative path of keys.
Example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe
Indexed: true
registry.path
Type: keyword
Level: Core
Description: Full path, including hive, key and value
Example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger
Indexed: true
registry.value
Type: keyword
Level: Core
Description: Name of the value written.
Example: Debugger
Indexed: true