refactor(filter): Change registry.value filter field semantics

The registry.value filter field yields the name of the created
or modified registry value. The new registry.data field returns
the captured value data.

Author: rabbitstack

pkg/filter/accessor_windows.go

@@ -940,9 +940,14 @@ func (r *registryAccessor) Get(f Field, e *event.Event) (params.Value, error) {
 	case fields.RegistryKeyHandle:
 		return e.GetParamAsString(params.RegKeyHandle), nil
 	case fields.RegistryValue:
-		return e.Params.GetRaw(params.RegValue)
+		if e.IsRegSetValue() {
+			return filepath.Base(filepath.Base(e.GetParamAsString(params.RegPath))), nil
+		}
+		return nil, nil
 	case fields.RegistryValueType:
 		return e.Params.GetString(params.RegValueType)
+	case fields.RegistryData:
+		return e.GetParamAsString(params.RegData), nil
 	case fields.RegistryStatus:
 		return e.GetParamAsString(params.NTStatus), nil
 	}

pkg/filter/fields/fields_windows.go

@@ -479,10 +479,12 @@ const (
 	RegistryKeyName Field = "registry.key.name"
 	// RegistryKeyHandle represents the registry KCB address
 	RegistryKeyHandle Field = "registry.key.handle"
-	// RegistryValue represents the registry value
+	// RegistryValue represents the registry value name field
 	RegistryValue Field = "registry.value"
-	// RegistryValueType represents the registry value type
+	// RegistryValueType represents the registry value type field
 	RegistryValueType Field = "registry.value.type"
+	// RegistryData represents the captured registry data field
+	RegistryData Field = "registry.data"
 	// RegistryStatus represent the registry operation status
 	RegistryStatus Field = "registry.status"
 
@@ -1000,8 +1002,9 @@ var fields = map[Field]FieldInfo{
 	RegistryPath:      {RegistryPath, "fully qualified registry path", params.UnicodeString, []string{"registry.path = 'HKEY_LOCAL_MACHINE\\SYSTEM'"}, nil, nil},
 	RegistryKeyName:   {RegistryKeyName, "registry key name", params.UnicodeString, []string{"registry.key.name = 'CurrentControlSet'"}, nil, nil},
 	RegistryKeyHandle: {RegistryKeyHandle, "registry key object address", params.Address, []string{"registry.key.handle = 'FFFFB905D60C2268'"}, nil, nil},
-	RegistryValue:     {RegistryValue, "registry value content", params.UnicodeString, []string{"registry.value = '%SystemRoot%\\system32'"}, nil, nil},
+	RegistryValue:     {RegistryValue, "registry value name", params.UnicodeString, []string{"registry.value = 'Epoch'"}, nil, nil},
 	RegistryValueType: {RegistryValueType, "type of registry value", params.UnicodeString, []string{"registry.value.type = 'REG_SZ'"}, nil, nil},
+	RegistryData:      {RegistryData, "registry value captured data", params.Object, []string{"registry.data = '%SystemRoot%'"}, nil, nil},
 	RegistryStatus:    {RegistryStatus, "status of registry operation", params.UnicodeString, []string{"registry.status != 'success'"}, nil, nil},
 
 	NetDIP:        {NetDIP, "destination IP address", params.IP, []string{"net.dip = 172.17.0.3"}, nil, nil},

pkg/filter/filter_test.go

@@ -863,7 +863,7 @@ func TestRegistryFilter(t *testing.T) {
 		Category: event.Registry,
 		Params: event.Params{
 			params.RegPath:      {Name: params.RegPath, Type: params.UnicodeString, Value: `HKEY_LOCAL_MACHINE\SYSTEM\Setup\Pid`},
-			params.RegValue:     {Name: params.RegValue, Type: params.Uint32, Value: uint32(10234)},
+			params.RegData:      {Name: params.RegData, Type: params.Uint32, Value: uint32(10234)},
 			params.RegValueType: {Name: params.RegValueType, Type: params.AnsiString, Value: "DWORD"},
 			params.NTStatus:     {Name: params.NTStatus, Type: params.AnsiString, Value: "success"},
 			params.RegKeyHandle: {Name: params.RegKeyHandle, Type: params.Address, Value: uint64(18446666033449935464)},
@@ -878,8 +878,9 @@ func TestRegistryFilter(t *testing.T) {
 		{`registry.status startswith ('key not', 'succ')`, true},
 		{`registry.path = 'HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\Pid'`, true},
 		{`registry.key.name icontains ('Setup', 'setup')`, true},
-		{`registry.value = 10234`, true},
+		{`registry.value = 'Pid'`, true},
 		{`registry.value.type in ('DWORD', 'QWORD')`, true},
+		{`registry.data = '10234'`, true},
 		{`MD5(registry.path) = 'eab870b2a516206575d2ffa2b98d8af5'`, true},
 	}