1

I have seen people specify

RegistryItem/KeyPath, RegistryItem/ValueName, RegistryItem/Value

to fully specify the value of a registry entry, and others just use

RegistryItem/Path, RegistryItem/Text

How do I know the proper way of creating this XML element, and if I'm interpreting it, how do I know what to expect?

Using the XML from

http://openioc.org/terms/Current.iocterms

(with display-type="string" term-source="application/vnd.mandiant.mir" removed)

<iocterm data-type="xs:string" text="RegistryItem/KeyPath" title="Registry Key Path" /> <iocterm data-type="xs:string" text="RegistryItem/Value" title="Registry Value" /> <iocterm data-type="xs:string" text="RegistryItem/ValueName" title="Registry Value Name" />

versus

<iocterm data-type="xs:string" text="RegistryItem/Path" title="Registry Path" /> <iocterm data-type="xs:string" text="RegistryItem/Type" title="Registry Type" />

As an example, this IOC uses RegistryItem/Path and RegistryItem/Text

http://openioc.org/iocs/ea3cab0c-72ad-40cc-abbf-90846fa4afec.ioc

where as this one uses RegistryItem/Path and RegistryItem/ValueName

http://openioc.org/iocs/72669174-dd77-4a4e-82ed-99a96784f36e.ioc

Scott C Wilson
  • 543
  • 3
  • 11

0 Answers0