S0511: RegDuke
Analyst context for executives and security teams
RegDuke matters because MITRE describes it as a Windows .NET first-stage implant used by APT29, including as a way to regain or maintain control of a compromised machine when other implants were lost. For leaders, the practical issue is not just one malware family; it is whether the organization can find low-noise footholds that use registry/fileless storage, PowerShell, WMI persistence, obfuscation, steganography, web-service command and control, and tool transfer before they become a longer incident.
Executive priority
Prioritize validation of Windows endpoint, identity, and network monitoring around stealthy persistence and command-and-control paths. This object is tied by ATT&CK to APT29 and Operation Ghost, so it is most relevant to organizations that need strong evidence of resilience against targeted intrusion tradecraft, especially government, diplomatic, research, and similar high-interest environments referenced in the related group/campaign context. The key executive question is whether SOC and incident response teams can prove visibility into registry changes, WMI subscriptions, PowerShell execution, and legitimate web-service traffic that may otherwise be treated as normal business activity.
Technical view
RegDuke is listed for Windows and uses ATT&CK techniques including Obfuscated Files or Information, Steganography, Fileless Storage, PowerShell, Bidirectional Communication over web services, Ingress Tool Transfer, Modify Registry, Deobfuscate/Decode Files or Information, and WMI Event Subscription. SOC and IR teams should validate coverage for Windows hosts where registry-backed storage or persistence, WMI event consumers/filters/bindings, PowerShell execution, and unusual outbound web-service communication intersect. Because MITRE provides no official detection text for this software, detection engineering should be behavior-led and mapped to the related techniques rather than dependent on a RegDuke-specific signature alone.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially PowerShell activity
- PowerShell script block, module, and operational logs where enabled
- Windows Registry auditing or EDR registry modification events
- WMI repository and event subscription telemetry, including filters, consumers, and bindings
- Endpoint file, memory, and artifact telemetry relevant to obfuscated or decoded content
Detection direction
- Map existing detections to the related techniques rather than only to the RegDuke name: T1027, T1027.003, T1027.011, T1059.001, T1102.002, T1105, T1112, T1140, and T1546.003.
- Hunt for combinations of suspicious PowerShell execution, registry modification or storage, WMI event subscription creation, and outbound web-service communication from the same Windows endpoint.
- Review allowlisted web services and proxy categories for blind spots, because bidirectional communication over legitimate external web services can blend with normal traffic.
- Tune for administrative false positives: registry changes, PowerShell, WMI, and downloads are common in enterprise operations, so detections should account for known management tools, approved scripts, and expected administrator activity.
- Use campaign and group relationships as threat-intelligence context for prioritization, not as proof that a local alert is APT29 activity.
Mitigation priorities
- Ensure PowerShell logging, constrained administration practices, and review of allowed scripting activity are in place for Windows systems.
- Harden and monitor WMI usage, with particular attention to persistent event subscriptions.
- Audit registry locations used for persistence or non-file storage and confirm EDR or native logging can capture meaningful changes.
- Control and monitor outbound web-service access through proxy, DNS, and network policy, especially from servers and sensitive workstations that should not initiate broad internet communications.
- Maintain incident response procedures for first-stage implant scenarios, including host isolation, credential review, persistence removal, and scoping for additional tools transferred after initial control.
Analyst notes and limits
The most useful defensive framing is the chain implied by the relationships: stealthy storage or obfuscation, Windows execution through PowerShell, persistence through registry or WMI, and command-and-control/tool transfer through web channels. RegDuke should be used as a validation case for whether managed detection, IR triage, and detection engineering can connect these behaviors across endpoint and network telemetry.
MITRE does not provide official detection guidance, aliases, labels, or object-level tactics for RegDuke in the supplied fields. The object is platformed as Windows, while some related techniques support additional platforms; this take limits RegDuke-specific guidance to Windows. Local exposure, active exploitation, control effectiveness, and attribution cannot be concluded from the supplied ATT&CK data alone.
RegDuke
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1105 | Ingress Tool Transfer | RegDuke can download files from C2.CitationESET Dukes October 2019 |
| Enterprise | T1027.003 | Steganography Sub-technique | RegDuke can hide data in images, including use of the Least Significant Bit (LSB).CitationESET Dukes October 2019 |
| Enterprise | T1546.003 | Windows Management Instrumentation Event Subscription Sub-technique | RegDuke can persist using a WMI consumer that is launched every time a process named WINWORD.EXE is started.CitationESET Dukes October 2019 |
| Enterprise | T1059.001 | PowerShell Sub-technique | RegDuke can extract and execute PowerShell scripts from C2 communications.CitationESET Dukes October 2019 |
| Enterprise | T1112 | Modify Registry | RegDuke can create seemingly legitimate Registry key to store its encryption key.CitationESET Dukes October 2019 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | RegDuke can decrypt strings with a key either stored in the Registry or hardcoded in the code.CitationESET Dukes October 2019 |
| Enterprise | T1027.011 | Fileless Storage Sub-technique | RegDuke can store its encryption key in the Registry.CitationESET Dukes October 2019 |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | RegDuke can use Dropbox as its C2 server.CitationESET Dukes October 2019 |
| Enterprise | T1027 | Obfuscated Files or Information | RegDuke can use control-flow flattening or the commercially available .NET Reactor for obfuscation.CitationESET Dukes October 2019 |
Groups, software, and campaigns
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
C0023: Operation Ghost
Operation Ghost was an APT29 campaign starting in 2013 that included operations against ministries of foreign affairs in Europe and the Washington, D.C. embassy of a European Union country. During Operation Ghost, APT29 used new families of malware and leveraged web services, steganography, and unique C2 infrastructure for each victim.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | e5d957c698ce… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET Dukes October 2019
Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
Open source URL -
[2]
mitre-attack S0511Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.