1. Home
  2. Software
  3. Reg

Reg

Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. [1]

Utilities such as Reg are known to be used by persistent threats. [2]

ID: S0075
Associated Software: reg.exe
Type: TOOL
Platforms: Windows
Version: 1.0
Created: 31 May 2017
Last Modified: 23 August 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1112 Modify Registry

Reg may be used to interact with and modify the Windows Registry of a local or remote system at the command-line interface.[1]
Enterprise T1012 Query Registry

Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface.[1]
Enterprise T1552 .002 Unsecured Credentials: Credentials in Registry

Reg may be used to find credentials in the Windows Registry.[3]

Groups That Use This Software

ID Name References
G0072 Honeybee

[4]
G0010 Turla

[5]
G0049 OilRig

[6][7]
G0075 Rancor

[8]
G0074 Dragonfly 2.0

[9]
G0093 GALLIUM

[10]

References

  1. Microsoft. (2012, April 17). Reg. Retrieved May 1, 2015.
  2. Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  3. netbiosX. (2017, April 19). Stored Credentials. Retrieved April 6, 2018.
  4. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  5. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  1. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  2. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  3. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  4. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  5. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.