S0075 Reg
Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. 1
Utilities such as Reg are known to be used by persistent threats. 2
| Item | Value |
|---|---|
| ID | S0075 |
| Associated Names | |
| Type | TOOL |
| Version | 1.1 |
| Created | 31 May 2017 |
| Last Modified | 16 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1112 | Modify Registry | Reg may be used to interact with and modify the Windows Registry of a local or remote system at the command-line interface.1 |
| enterprise | T1012 | Query Registry | Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface.1 |
| enterprise | T1552 | Unsecured Credentials | - |
| enterprise | T1552.002 | Credentials in Registry | Reg may be used to find credentials in the Windows Registry.3 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0075 | Rancor | 5 |
| G0049 | OilRig | 67 |
| G1034 | Daggerfly | Daggerfly has used Reg to dump various Windows registry hives from victim machines.8 |
| G0035 | Dragonfly | 9 |
| G0093 | GALLIUM | 10 |
| G0010 | Turla | 11 |
| G0047 | Gamaredon Group | Gamaredon Group has used Reg to add Run keys to the Registry.12 |
| G1017 | Volt Typhoon | 13 |
References
-
Microsoft. (2012, April 17). Reg. Retrieved May 1, 2015. ↩↩↩
-
Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016. ↩
-
netbiosX. (2017, April 19). Stored Credentials. Retrieved April 6, 2018. ↩
-
Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. ↩
-
Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018. ↩
-
Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. ↩
-
Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. ↩
-
Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024. ↩
-
US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. ↩
-
Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. ↩
-
Kaspersky Lab’s Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014. ↩
-
Unit 42. (2022, December 20). Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. Retrieved September 12, 2024. ↩
-
CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024. ↩