Windows

Reg.exeReg.exe

Platform
Windows
Abuse functions
2
Mapped techniques
2

Description

Reg.exe is a Windows living-off-the-land binary catalogued by the LOLBAS Project. Documented abuse functions: ADS, Credentials. Mapped ATT&CK techniques (per LOLBAS / GTFOBins → MITRE crosswalk): T1003, T1564.004. Defenders should monitor execution of Reg.exe under non-administrative or sudo contexts and alert when its arguments match the abuse-function signatures.

Abuse functions· 2

Hide/plant registry information in Alternate data stream for later use

CredentialsT1003.002

Dump credentials from the Security Account Manager (SAM)

MITRE ATT&CK techniques· 2

T1564.004T1003.002

Uses2

TypeTargetConfidenceTier
SubTechniqueSecurity Account Managert1003.002100%live
SubTechniqueNTFS File Attributest1564.004100%live

Abuses2

TypeTargetConfidenceTier
SubTechniqueNTFS File Attributest1564.00490%live
TechniqueOS Credential Dumpingt100385%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

LOLbin
Regedit.exe
LOLbin
Regsvr32.exe
LOLbin
Regsvcs.exe
LOLbin
Regini.exe
LOLbin
Regasm.exe
LOLbin
Register-cimprovider.exe
Sourced from LOLBAS Project. Curated by Adam Lundqvist, SQUR.