S0075: Reg
Analyst context for executives and security teams
Reg is a legitimate Windows command-line utility for reading and changing the Windows Registry. Its business significance is that the same tool administrators use for configuration can also support discovery, persistence, defense impairment, and credential access when abused. Because it is built into Windows, risk is driven less by malware presence and more by whether the organization can distinguish approved registry administration from suspicious use.
Executive priority
Prioritize Reg coverage where Windows systems support critical business services, privileged administration, identity infrastructure, or regulated audit requirements. Leaders should ask whether registry queries and changes are logged, whether sensitive registry locations are monitored, and whether stored credentials or automatic logon secrets exist in the registry. ATT&CK relationships show Reg mapped to multiple techniques and used by several named groups and a campaign, making it a practical validation point for SOC readiness and incident response triage rather than a niche tool concern.
Technical view
For defenders, validate visibility around reg.exe execution on Windows and registry read/write activity associated with Query Registry (T1012), Modify Registry (T1112), and Credentials in Registry (T1552.002). Focus review on command-line telemetry, parent process context, user privilege level, local versus remote registry activity, and changes to keys associated with persistence, security settings, software configuration, and credential storage. Because ATT&CK provides no official detection text for this tool, detections should be built from local baselines and the related technique context.
Likely telemetry
- Windows process creation events including command line, parent process, user, host, and working directory
- Endpoint/EDR telemetry for reg.exe execution and registry access
- Windows Registry auditing or endpoint registry-change telemetry for sensitive keys and values
- Authentication and privilege context for the account running Reg, especially administrator-level use
- Remote administration indicators such as remote registry access or management sessions where collected
Detection direction
- Baseline normal administrative and software deployment use of reg.exe before alerting on volume alone; false positives are common for IT operations.
- Prioritize unusual parent processes, unexpected users, non-administrative workstations performing broad registry queries, and registry changes outside approved maintenance windows.
- Tune for access to sensitive credential-related locations and queries suggesting credential discovery, consistent with T1552.002, without relying on command strings alone.
- Monitor modifications to registry areas tied to persistence or security configuration, consistent with T1112, and correlate with new processes, services, or policy changes.
- Use relationship context as hunt guidance: ATT&CK maps Reg to use by multiple groups/campaigns, but local detections should remain behavior-based rather than attribution-based.
Mitigation priorities
- Reduce unnecessary administrator privileges and remote registry access where business operations allow.
- Apply registry permissions and hardening to sensitive configuration and security keys.
- Remove or prevent insecurely stored credentials and automatic logon secrets in the registry where identified.
- Require change control for administrative registry modifications on servers and critical workstations.
- Ensure Windows endpoint logging and retention are sufficient for incident response reconstruction of registry queries and modifications.
Analyst notes and limits
This take is based on the ATT&CK S0075 Reg software object, its Microsoft/JPCERT references, and supplied relationships to T1012, T1112, T1552.002, C0006, and listed groups. Reg is a built-in Windows utility, so defensive value comes from context: who ran it, from where, against which keys, and whether the action matches approved administration.
ATT&CK does not provide official detection guidance for this object, and the tool object itself has no tactics specified. The related techniques provide direction, but specific suspicious keys, command patterns, and thresholds require local environment baselines and approved-administration knowledge. The supplied relationships indicate documented use, not current activity or exposure in any specific organization.
Reg
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1552.002 | Credentials in Registry Sub-technique | Reg may be used to find credentials in the Windows Registry.CitationPentestlab Stored Credentials |
| Enterprise | T1012 | Query Registry | Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface.CitationMicrosoft Reg |
| Enterprise | T1112 | Modify Registry | Reg may be used to interact with and modify the Windows Registry of a local or remote system at the command-line interface.CitationMicrosoft Reg |
Groups, software, and campaigns
G0075: Rancor
G0049: OilRig
OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[1][2][3][4][5][6][7]
G1034: Daggerfly
Daggerfly is a People's Republic of China-linked APT entity active since at least 2012. Daggerfly has targeted individuals, government and NGO entities, and telecommunication companies in Asia and Africa. Daggerfly is associated with exclusive use of MgBot malware and is noted for several potential supply chain infection campaigns.[1][2][3][4]
G0035: Dragonfly
Dragonfly is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.[1][2] Active since at least 2010, Dragonfly has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.[3][4][5][6][7][8][9]
G0093: GALLIUM
GALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. This group is particularly known for launching Operation Soft Cell, a long-term campaign targeting telecommunications providers.[1] Security researchers have identified GALLIUM as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.[1][2][3]
G0010: Turla
Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]
G0047: Gamaredon Group
Gamaredon Group is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name Gamaredon Group derives from a misspelling of the word "Armageddon," found in early campaigns.[1][2][3][4][5]
In November 2021, the Ukrainian government publicly attributed Gamaredon Group to Russia’s Federal Security Service (FSB) Center 18, an assessment later supported by multiple independent cybersecurity researchers. [6][5]
G1017: Volt Typhoon
Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021, primarily targeting critical infrastructure organizations in the US and its territories including Guam. Volt Typhoon's targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.[1][2][3][4]. The group has leveraged compromised SOHO routers to proxy command and control traffic and obscure its infrastructure, activity associated with the KV botnet.[5].
Reporting indicates a separate initial access cluster, SYLVANITE, has been observed exploiting internet-facing edge devices and transferring access to Volt Typhoon, also tracked as VOLTZITE, for follow-on operations. [6]
C0006: Operation Honeybee
Operation Honeybee was a campaign that targeted humanitarian aid and inter-Korean affairs organizations from at least late 2017 through early 2018. Operation Honeybee initially targeted South Korea, but expanded to include Vietnam, Singapore, Japan, Indonesia, Argentina, and Canada. Security researchers assessed the threat actors were likely Korean speakers based on metadata used in both lure documents and executables, and named the campaign "Honeybee" after the author name discovered in malicious Word documents.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 1676f6d1eae1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft Reg
Microsoft. (2012, April 17). Reg. Retrieved May 1, 2015.
Open source URL -
[2]
Windows Commands JPCERT
Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
Open source URL -
[3]
mitre-attack S0075Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.