Skip to content

S0511 RegDuke

RegDuke is a first stage implant written in .NET and used by APT29 since at least 2017. RegDuke has been used to control a compromised machine when control of other implants on the machine was lost.1

Item Value
ID S0511
Associated Names
Version 1.1
Created 23 September 2020
Last Modified 24 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell RegDuke can extract and execute PowerShell scripts from C2 communications.1
enterprise T1140 Deobfuscate/Decode Files or Information RegDuke can decrypt strings with a key either stored in the Registry or hardcoded in the code.1
enterprise T1546 Event Triggered Execution -
enterprise T1546.003 Windows Management Instrumentation Event Subscription RegDuke can persist using a WMI consumer that is launched every time a process named WINWORD.EXE is started.1
enterprise T1105 Ingress Tool Transfer RegDuke can download files from C2.1
enterprise T1112 Modify Registry RegDuke can create seemingly legitimate Registry key to store its encryption key.1
enterprise T1027 Obfuscated Files or Information RegDuke can use control-flow flattening or the commercially available .NET Reactor for obfuscation.1
enterprise T1027.003 Steganography RegDuke can hide data in images, including use of the Least Significant Bit (LSB).1
enterprise T1027.011 Fileless Storage RegDuke can store its encryption key in the Registry.1
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication RegDuke can use Dropbox as its C2 server.1

Groups That Use This Software

ID Name References
G0016 APT29 12