reg.exe
- File Path:
C:\windows\system32\reg.exe - Description: Registry Console Tool
Hashes
| Type | Hash |
|---|---|
| MD5 | A3F446F1E2B8C6ECE56F608FB32B8DC6 |
| SHA1 | 0873F40DE395DE017495ED5C7E693AFB55E9F867 |
| SHA256 | 849F54DC526EA18D59ABAF4904CB11BC15B982D2952B971F2E1B6FBF8C974B39 |
| SHA384 | 08A34EB51E0741CA70CD9CE4F85C1C9BFFD4D9FCEA5FA1012C2531ED0C030CDC66E3E95E9809507BF04752F38B738F8C |
| SHA512 | 0728C4B3519462A08ED4FFA08B3F35ABCE76344DD49C79FCD9D9C7BF7C00E6FFC3DC5F2BD37FE7F2F3627E0E95EFA37BD724168F0C224248EFE6FA483C9A836E |
| SSDEEP | 1536:vy38PPvlbB4aNHPRS1Id5fbV5uRqRbkAlZJ6WsuqXakq7/c:egya/tdv5uERbdp0XR4U |
Signature
- Status: The file C:\windows\system32\reg.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
- Serial: ``
- Thumbprint: ``
- Issuer:
- Subject:
File Metadata
- Original Filename: reg.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
- Product Version: 6.3.9600.16384
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
Possible Misuse
The following table contains possible examples of reg.exe being misused. While reg.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | win_susp_logon_explicit_credentials.yml | - '\reg.exe' |
DRL 1.0 |
| sigma | proc_creation_win_apt_lazarus_activity_dec20.yml | - 'reg.exe save hklm\sam %temp%\~reg_sam.save' |
DRL 1.0 |
| sigma | proc_creation_win_control_panel_item.yml | Image\|endswith: '\reg.exe' |
DRL 1.0 |
| sigma | proc_creation_win_enumeration_for_credentials_in_registry.yml | Image\|endswith: \reg.exe |
DRL 1.0 |
| sigma | proc_creation_win_grabbing_sensitive_hives_via_reg.yml | description: Dump sam, system or security hives using REG.exe utility |
DRL 1.0 |
| sigma | proc_creation_win_grabbing_sensitive_hives_via_reg.yml | Image\|endswith: '\reg.exe' |
DRL 1.0 |
| sigma | proc_creation_win_mmc_spawn_shell.yml | - '\reg.exe' |
DRL 1.0 |
| sigma | proc_creation_win_mshta_spawn_shell.yml | - '\reg.exe' |
DRL 1.0 |
| sigma | proc_creation_win_multiple_suspicious_cli.yml | - reg.exe |
DRL 1.0 |
| sigma | proc_creation_win_query_registry.yml | Image\|endswith: '\reg.exe' |
DRL 1.0 |
| sigma | proc_creation_win_reg_add_run_key.yml | description: Detects suspicious command line reg.exe tool adding key to RUN key in Registry |
DRL 1.0 |
| sigma | proc_creation_win_reg_defender_exclusion.yml | description: Qbot used reg.exe to add Defender folder exceptions for folders within AppData and ProgramData. |
DRL 1.0 |
| sigma | proc_creation_win_reg_defender_exclusion.yml | Image\|endswith: \reg.exe |
DRL 1.0 |
| sigma | proc_creation_win_reg_service_imagepath_change.yml | title: Service ImagePath Change with Reg.exe |
DRL 1.0 |
| sigma | proc_creation_win_reg_service_imagepath_change.yml | Image\|endswith: \reg.exe |
DRL 1.0 |
| sigma | proc_creation_win_software_discovery.yml | Image\|endswith: '\reg.exe' # Example: reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion |
DRL 1.0 |
| sigma | proc_creation_win_susp_direct_asep_reg_keys_modification.yml | description: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe. |
DRL 1.0 |
| sigma | proc_creation_win_susp_direct_asep_reg_keys_modification.yml | Image\|endswith: '\reg.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_disable_raccine.yml | - 'reg.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_machineguid.yml | Image\|endswith: \reg.exe |
DRL 1.0 |
| sigma | proc_creation_win_susp_reg_disable_sec_services.yml | description: Detects a suspicious reg.exe invocation that looks as if it would disable an important security service |
DRL 1.0 |
| sigma | proc_creation_win_susp_screensaver_reg.yml | title: Suspicious ScreenSave Change by Reg.exe |
DRL 1.0 |
| sigma | proc_creation_win_susp_screensaver_reg.yml | Image\|endswith: reg.exe |
DRL 1.0 |
| LOLBAS | Reg.yml | Name: Reg.exe |
|
| LOLBAS | Reg.yml | - Path: C:\Windows\System32\reg.exe |
|
| LOLBAS | Reg.yml | - Path: C:\Windows\SysWOW64\reg.exe |
|
| LOLBAS | Reg.yml | - IOC: reg.exe writing to an ADS |
|
| LOLBAS | SettingSyncHost.yml | Description: Execute a batch script in the background (no window ever pops up) which can be subverted to running arbitrary programs by setting the current working directory to %TMP% and creating files such as reg.bat/reg.exe in that directory thereby causing them to execute instead of the ones in C:\Windows\System32. |
|
| LOLBAS | Wmic.yml | - Command: wmic.exe process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f" |
|
| malware-ioc | misp_invisimole.json | "description": "Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.\n\nOne variant is for an executable to be placed in a commonly trusted directory or given the name of a legitimate, trusted program. Alternatively, the filename given may be a close approximation of legitimate programs or something innocuous. An example of this is when a common system utility or program is moved and renamed to avoid detection based on its usage.(Citation: FireEye APT10 Sept 2018) This is done to bypass tools that trust executables by relying on file name or path, as well as to deceive defenders and system administrators into thinking a file is benign by associating the name with something that is thought to be legitimate.\n\nA third variant uses the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse.(Citation: Infosecinstitute RTLO Technique) For example, a Windows screensaver file named <code>March 25 \\u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>. A common use of this technique is with spearphishing attachments since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default. \n\nAdversaries may modify a binary's metadata, including such fields as icons, version, name of the product, description, and copyright, to better blend in with the environment and increase chances of deceiving a security analyst or product.(Citation: Threatexpress MetaTwin 2017)\n\n### Windows\nIn another variation of this technique, an adversary may use a renamed copy of a legitimate utility, such as rundll32.exe. (Citation: Endgame Masquerade Ball) An alternative case occurs when a legitimate utility is moved to a different directory and also renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)\n\nAn example of abuse of trusted locations in Windows would be the <code>C:\\Windows\\System32</code> directory. Examples of trusted binary names that can be given to malicious binares include \"explorer.exe\" and \"svchost.exe\".\n\n### Linux\nAnother variation of this technique includes malicious binaries changing the name of their running process to that of a trusted or benign process, after they have been launched as opposed to before. (Citation: Remaiten)\n\nAn example of abuse of trusted locations in Linux would be the <code>/bin</code> directory. Examples of trusted binary names that can be given to malicious binaries include \"rsyncd\" and \"dbus-inotifier\". (Citation: Fysbis Palo Alto Analysis) (Citation: Fysbis Dr Web Analysis)", |
© ESET 2014-2018 |
| atomic-red-team | index.md | - Atomic Test #8: Disable UAC using reg.exe [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #2: Service ImagePath Change with reg.exe [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #8: Disable UAC using reg.exe [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #2: Service ImagePath Change with reg.exe [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | T1037.001.md | REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d “#{script_path}” /f | MIT License. © 2018 Red Canary |
| atomic-red-team | T1037.001.md | REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f >nul 2>&1 | MIT License. © 2018 Red Canary |
| atomic-red-team | T1059.001.md | reg.exe add “HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam” /v ART /t REG_SZ /d “U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1112.md | Modify the registry of the currently logged in user using reg.exe via cmd console. Upon execution, the message “The operation completed successfully.” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1137.004.md | reg.exe add HKCU\Software\Microsoft\Office#{outlook_version}\Outlook\WebView#{outlook_folder} /v URL /t REG_SZ /d #{url} /f | MIT License. © 2018 Red Canary |
| atomic-red-team | T1137.004.md | reg.exe delete HKCU\Software\Microsoft\Office#{outlook_version}\Outlook\WebView#{outlook_folder} /v URL /f >nul 2>&1 | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.002.md | reg.exe add “HKEY_CURRENT_USER\Control Panel\Desktop” /v ScreenSaveActive /t REG_SZ /d 1 /f | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.002.md | reg.exe add “HKEY_CURRENT_USER\Control Panel\Desktop” /v ScreenSaveTimeout /t REG_SZ /d 60 /f | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.002.md | reg.exe add “HKEY_CURRENT_USER\Control Panel\Desktop” /v ScreenSaverIsSecure /t REG_SZ /d 0 /f | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.002.md | reg.exe add “HKEY_CURRENT_USER\Control Panel\Desktop” /v SCRNSAVE.EXE /t REG_SZ /d “%SystemRoot%\System32\evilscreensaver.scr” /f | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.010.md | reg.exe import #{registry_file} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.010.md | reg.exe import #{registry_cleanup_file} >nul 2>&1 | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | - Atomic Test #8 - Disable UAC using reg.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | reg.exe add hkcu\software\classes\mscfile\shell\open\command /ve /d “#{executable_binary}” /f | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | reg.exe delete hkcu\software\classes\mscfile /f >nul 2>&1 | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | reg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d “#{executable_binary}” /f | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | reg.exe add hkcu\software\classes\ms-settings\shell\open\command /v “DelegateExecute” /f | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | reg.exe delete hkcu\software\classes\ms-settings /f >nul 2>&1 | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | ## Atomic Test #8 - Disable UAC using reg.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | Disable User Account Conrol (UAC) using the builtin tool reg.exe by changing its registry key | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f | MIT License. © 2018 Red Canary |
| atomic-red-team | T1574.011.md | - Atomic Test #2 - Service ImagePath Change with reg.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1574.011.md | ## Atomic Test #2 - Service ImagePath Change with reg.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1574.011.md | reg.exe add “HKLM\SYSTEM\CurrentControlSet\Services#{weak_service_name}” /f /v ImagePath /d “#{malicious_service_path}” | MIT License. © 2018 Red Canary |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
reg commands
Performs operations on registry subkey information and values in registry entries.
Some operations enable you to view or configure registry entries on local or remote computers, while others allow you to configure only local computers. Using reg to configure the registry of remote computers limits the parameters that you can use in some operations. Check the syntax and parameters for each operation to verify that they can be used on remote computers.
[!CAUTION] Don’t edit the registry directly unless you have no alternative. The registry editor bypasses standard safeguards, allowing settings that can degrade performance, damage your system, or even require you to reinstall Windows. You can safely alter most registry settings by using the programs in Control Panel or Microsoft Management Console (MMC). If you must edit the registry directly, back it up first.
Syntax
reg add
reg compare
reg copy
reg delete
reg export
reg import
reg load
reg query
reg restore
reg save
reg unload
Parameters
| Parameter | Description |
|---|---|
| reg add | Adds a new subkey or entry to the registry. |
| reg compare | Compares specified registry subkeys or entries. |
| reg copy | Copies a registry entry to a specified location on the local or remote computer. |
| reg delete | Deletes a subkey or entries from the registry. |
| reg export | Copies the specified subkeys, entries, and values of the local computer into a file for transfer to other servers. |
| reg import | Copies the contents of a file that contains exported registry subkeys, entries, and values into the registry of the local computer. |
| reg load | Writes saved subkeys and entries into a different subkey in the registry. |
| reg query | Returns a list of the next tier of subkeys and entries that are located under a specified subkey in the registry. |
| reg restore | Writes saved subkeys and entries back to the registry. |
| reg save | Saves a copy of specified subkeys, entries, and values of the registry in a specified file. |
| reg unload | Removes a section of the registry that was loaded using the reg load operation. |
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.