Class: WindowsRegistryKey
_The Registry Key Object represents the properties of a Windows registry key. _
URI: attack:WindowsRegistryKey
classDiagram
class WindowsRegistryKey
click WindowsRegistryKey href "../WindowsRegistryKey/"
CyberObservableObject <|-- WindowsRegistryKey
click CyberObservableObject href "../CyberObservableObject/"
WindowsRegistryKey : creator_user_ref
WindowsRegistryKey : defanged
WindowsRegistryKey : description
WindowsRegistryKey : extensions
WindowsRegistryKey : granular_markings
WindowsRegistryKey --> "*" GranularMarking : granular_markings
click GranularMarking href "../GranularMarking/"
WindowsRegistryKey : id
WindowsRegistryKey : key
WindowsRegistryKey : modified_time
WindowsRegistryKey : name
WindowsRegistryKey : number_of_subkeys
WindowsRegistryKey : object_marking_refs
WindowsRegistryKey : spec_version
WindowsRegistryKey --> "0..1" SpecVersionEnum : spec_version
click SpecVersionEnum href "../SpecVersionEnum/"
WindowsRegistryKey : type
WindowsRegistryKey : values
WindowsRegistryKey --> "*" WindowsRegistryValue : values
click WindowsRegistryValue href "../WindowsRegistryValue/"
Inheritance
- StixEntity
- CommonSchemaComponent
- CyberObservableCore
- CyberObservableObject
- WindowsRegistryKey
- CyberObservableObject
- CyberObservableCore
- CommonSchemaComponent
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| key | 0..1 String |
Registry key path | direct |
| values | * WindowsRegistryValue |
Registry value entries | direct |
| modified_time | 0..1 Datetime |
Modification timestamp | direct |
| creator_user_ref | 0..1 StixIdentifier |
Creating user reference | direct |
| number_of_subkeys | 0..1 Integer |
Number of registry subkeys | direct |
| type | 1 StixTypeName |
STIX object type | StixEntity, CyberObservableCore |
| spec_version | 0..1 SpecVersionEnum |
STIX specification version | CyberObservableCore |
| id | 1 StixIdentifier |
STIX object identifier | StixEntity, CyberObservableCore |
| object_marking_refs | * StixIdentifier |
Marking definition references applied to this object | CyberObservableCore |
| granular_markings | * GranularMarking |
Granular markings that apply to selected content | CyberObservableCore |
| defanged | 0..1 Boolean |
Defines whether or not the data contained within the object has been defanged | CyberObservableCore |
| extensions | * String |
Open-ended extension payloads | CyberObservableCore |
| name | 0..1 String |
Human-readable name | StixEntity |
| description | 0..1 String |
Human-readable description | StixEntity |
In Subsets
Comments
- jsonschema_rule: anyOf validator_hint: registry-key-presence-requirements jsonschema_source: https://github.com/oasis-open/cti-stix2-json-schemas/tree/master/schemas/observables/windows-registry-key.json
Notes
- JSON Schema uses anyOf for key/value/modified/creator/subkey presence requirements.
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/attack
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | attack:WindowsRegistryKey |
| native | attack:WindowsRegistryKey |
| exact | unified_cyber_ontology:WindowsRegistryKey |
LinkML Source
Direct
name: WindowsRegistryKey
description: 'The Registry Key Object represents the properties of a Windows registry
key. '
notes:
- JSON Schema uses anyOf for key/value/modified/creator/subkey presence requirements.
comments:
- 'jsonschema_rule: anyOf validator_hint: registry-key-presence-requirements jsonschema_source:
https://github.com/oasis-open/cti-stix2-json-schemas/tree/master/schemas/observables/windows-registry-key.json'
in_subset:
- observables
from_schema: https://w3id.org/lmodel/attack
exact_mappings:
- unified_cyber_ontology:WindowsRegistryKey
is_a: CyberObservableObject
slots:
- key
- values
- modified_time
- creator_user_ref
- number_of_subkeys
slot_usage:
id:
name: id
pattern: ^windows-registry-key--[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$
type:
name: type
pattern: ^windows-registry-key$
key:
name: key
pattern: ^(?!HKLM|HKCC|HKCR|HKCU|HKU|hklm|hkcc|hkcr|hkcu|hku).*$
Induced
name: WindowsRegistryKey
description: 'The Registry Key Object represents the properties of a Windows registry
key. '
notes:
- JSON Schema uses anyOf for key/value/modified/creator/subkey presence requirements.
comments:
- 'jsonschema_rule: anyOf validator_hint: registry-key-presence-requirements jsonschema_source:
https://github.com/oasis-open/cti-stix2-json-schemas/tree/master/schemas/observables/windows-registry-key.json'
in_subset:
- observables
from_schema: https://w3id.org/lmodel/attack
exact_mappings:
- unified_cyber_ontology:WindowsRegistryKey
is_a: CyberObservableObject
slot_usage:
id:
name: id
pattern: ^windows-registry-key--[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$
type:
name: type
pattern: ^windows-registry-key$
key:
name: key
pattern: ^(?!HKLM|HKCC|HKCR|HKCU|HKU|hklm|hkcc|hkcr|hkcu|hku).*$
attributes:
key:
name: key
description: Registry key path.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: key
owner: WindowsRegistryKey
domain_of:
- WindowsRegistryKey
range: string
pattern: ^(?!HKLM|HKCC|HKCR|HKCU|HKU|hklm|hkcc|hkcr|hkcu|hku).*$
values:
name: values
description: Registry value entries.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: values
owner: WindowsRegistryKey
domain_of:
- WindowsRegistryKey
range: WindowsRegistryValue
multivalued: true
inlined: true
modified_time:
name: modified_time
description: Modification timestamp.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: modified_time
owner: WindowsRegistryKey
domain_of:
- WindowsRegistryKey
range: datetime
creator_user_ref:
name: creator_user_ref
description: Creating user reference.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: creator_user_ref
owner: WindowsRegistryKey
domain_of:
- Process
- WindowsRegistryKey
range: stix_identifier
number_of_subkeys:
name: number_of_subkeys
description: Number of registry subkeys.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: number_of_subkeys
owner: WindowsRegistryKey
domain_of:
- WindowsRegistryKey
range: integer
type:
name: type
description: STIX object type.
from_schema: https://w3id.org/lmodel/attack
related_mappings:
- unified_cyber_ontology:state
rank: 1000
alias: type
owner: WindowsRegistryKey
domain_of:
- StixEntity
- Bundle
- Core
- CyberObservableCore
- ExtensionDefinition
- LanguageContent
- MarkingDefinition
- File
range: stix_type_name
required: true
pattern: ^windows-registry-key$
spec_version:
name: spec_version
description: STIX specification version.
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:specVersion
rank: 1000
alias: spec_version
owner: WindowsRegistryKey
domain_of:
- Core
- CyberObservableCore
- MarkingDefinition
range: SpecVersionEnum
id:
name: id
description: STIX object identifier.
from_schema: https://w3id.org/lmodel/attack
related_mappings:
- unified_cyber_ontology:externalReference
rank: 1000
alias: id
owner: WindowsRegistryKey
domain_of:
- StixEntity
- Bundle
- Core
- CyberObservableCore
- ExtensionDefinition
- LanguageContent
- MarkingDefinition
- File
range: stix_identifier
required: true
pattern: ^windows-registry-key--[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$
object_marking_refs:
name: object_marking_refs
description: Marking definition references applied to this object.
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:objectMarking
rank: 1000
alias: object_marking_refs
owner: WindowsRegistryKey
domain_of:
- Core
- CyberObservableCore
- MarkingDefinition
range: stix_identifier
multivalued: true
granular_markings:
name: granular_markings
description: Granular markings that apply to selected content.
comments:
- 'jsonschema_minItems: "1"'
from_schema: https://w3id.org/lmodel/attack
narrow_mappings:
- unified_cyber_ontology:objectMarking
rank: 1000
alias: granular_markings
owner: WindowsRegistryKey
domain_of:
- Core
- CyberObservableCore
- MarkingDefinition
range: GranularMarking
multivalued: true
defanged:
name: defanged
description: Defines whether or not the data contained within the object has been
defanged.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: defanged
owner: WindowsRegistryKey
domain_of:
- CyberObservableCore
range: boolean
extensions:
name: extensions
description: Open-ended extension payloads.
notes:
- JSON Schema uses patternProperties for extension keys; exact key validation
is delegated to validator tooling.
comments:
- 'jsonschema_rule: patternProperties validator_hint: validate-extension-keys-and-values'
from_schema: https://w3id.org/lmodel/attack
related_mappings:
- unified_cyber_ontology:hasFacet
rank: 1000
alias: extensions
owner: WindowsRegistryKey
domain_of:
- Core
- CyberObservableCore
- MarkingDefinition
- File
range: string
multivalued: true
name:
name: name
description: Human-readable name.
from_schema: https://w3id.org/lmodel/attack
exact_mappings:
- unified_cyber_ontology:name
rank: 1000
alias: name
owner: WindowsRegistryKey
domain_of:
- RelatedAsset
- StixEntity
- ExtensionDefinition
- MarkingDefinition
- AutonomousSystem
- File
range: string
description:
name: description
description: Human-readable description.
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:description
rank: 1000
alias: description
owner: WindowsRegistryKey
domain_of:
- RelatedAsset
- MutableElement
- StixEntity
- ExtensionDefinition
- ExternalReference
range: string