1. Home
  2. Software
  3. Reg

Reg

Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. [1]

Utilities such as Reg are known to be used by persistent threats. [2]

ID: S0075
Associated Software: reg.exe
Type: TOOL
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 13 October 2022
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1112 Modify Registry

Reg may be used to interact with and modify the Windows Registry of a local or remote system at the command-line interface.[1]
Enterprise T1012 Query Registry

Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface.[1]
Enterprise T1552 .002 Unsecured Credentials: Credentials in Registry

Reg may be used to find credentials in the Windows Registry.[3]

Groups That Use This Software

ID Name References
G0075 Rancor

[4]
G0049 OilRig

[5][6]
G1034 Daggerfly

Daggerfly has used Reg to dump various Windows registry hives from victim machines.[7]
G0035 Dragonfly

[8]
G0093 GALLIUM

[9]
G0010 Turla

[10]
G0047 Gamaredon Group

Gamaredon Group has used Reg to add Run keys to the Registry.[11]
G1017 Volt Typhoon

[12]

Campaigns

ID Name Description
C0006 Operation Honeybee

[13]

References

  1. Microsoft. (2012, April 17). Reg. Retrieved May 1, 2015.
  2. Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  3. netbiosX. (2017, April 19). Stored Credentials. Retrieved April 6, 2018.
  4. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  5. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  6. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  7. Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024.
  1. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  2. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  3. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  4. Unit 42. (2022, December 20). Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. Retrieved September 12, 2024.
  5. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  6. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.