Skip to content

S0075 Reg

Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. 1

Utilities such as Reg are known to be used by persistent threats. 2

Item Value
ID S0075
Associated Names
Type TOOL
Version 1.1
Created 31 May 2017
Last Modified 13 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1112 Modify Registry Reg may be used to interact with and modify the Windows Registry of a local or remote system at the command-line interface.1
enterprise T1012 Query Registry Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface.1
enterprise T1552 Unsecured Credentials -
enterprise T1552.002 Credentials in Registry Reg may be used to find credentials in the Windows Registry.3

Groups That Use This Software

ID Name References
G0049 OilRig 56
G0010 Turla 7
G0075 Rancor 8
G0093 GALLIUM 9
G0035 Dragonfly 10

References

  1. Microsoft. (2012, April 17). Reg. Retrieved May 1, 2015. 

  2. Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016. 

  3. netbiosX. (2017, April 19). Stored Credentials. Retrieved April 6, 2018. 

  4. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. 

  5. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. 

  6. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. 

  7. Kaspersky Lab’s Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014. 

  8. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018. 

  9. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. 

  10. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.