R
High RiskWindowsLegitimateCommonly Abusedreg.exeSYSTEM UTILITYreg.exe - Registry Editor CLI Security Analysis
reg.exe is the Windows Registry command-line editor for querying and modifying the registry. Attackers use reg.exe extensively for persistence (Run keys), credential harvesting (SAM/SECURITY hives), defense evasion (disabling security), and reconnaissance. Registry modifications are central to most Windows attacks.
Risk Summary
HIGH priority for SOC triage. reg.exe can establish persistence, extract credentials, and disable security features. Monitor for modifications to Run keys, SAM/SECURITY hive exports, and security policy changes.
Overview
What is reg.exe?
reg.exe is the command-line interface for the Windows Registry.
Core Functions
Registry Operations:
- Query registry values
- Add/delete keys and values
- Export/import registry data
- Compare registry states
Security Significance
- Persistence Central: Run keys, services
- Credential Storage: SAM, LSA secrets
- Security Settings: Policies, defender
- System Configuration: Critical settings
Normal Behavior
Normal Behavior
Expected Process State
| Property | Expected Value |
|---|---|
| Path | C:\Windows\System32\reg.exe |
| Parent | cmd.exe, powershell.exe |
| User | Administrator (for HKLM) |
| Context | System administration |
Legitimate Usage
reg query HKLM\SOFTWARE\...
reg export HKLM\SOFTWARE backup.reg
Common Locations
C:\Windows\System32\reg.exeC:\Windows\SysWOW64\reg.exeSuspicious Indicators
Legitimate vs Suspicious
LEGITIMATE
Command: reg query (read operations)
reg export (documented backup)
Context: System administration
SUSPICIOUS
Command: reg add ...\Run /v malware
reg save HKLM\SAM sam.hiv
reg save HKLM\SECURITY sec.hiv
reg add ...\Windows Defender /v DisableAntiSpyware
Context: Persistence setup
Credential extraction
Security tampering
Critical Registry Targets
| Path | Purpose | Risk |
|---|---|---|
| ...\Run, RunOnce | Persistence | CRITICAL |
| HKLM\SAM | Credentials | CRITICAL |
| HKLM\SECURITY | LSA Secrets | CRITICAL |
| ...\Windows Defender | Security | CRITICAL |
Abuse Techniques
Attack Techniques
Technique #1: Registry Persistence (T1547.001)
Add Run Key:
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Malware /t REG_SZ /d "C:\malware.exe"
Technique #2: Credential Dumping Preparation (T1003.002)
Export SAM/SECURITY:
reg save HKLM\SAM sam.hiv
reg save HKLM\SECURITY security.hiv
reg save HKLM\SYSTEM system.hiv
Technique #3: Disable Security (T1562.001)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1
Technique #4: UAC Bypass Preparation (T1548.002)
reg add HKCU\Software\Classes\ms-settings\shell\open\command /ve /t REG_SZ /d "C:\malware.exe"
Detection Guidance
Detection Strategies
Priority #1: SAM/SECURITY Export
Process = "reg.exe" AND
CommandLine CONTAINS "save" AND
(CommandLine CONTAINS "SAM" OR "SECURITY" OR "SYSTEM")
→ ALERT: CRITICAL - Credential theft preparation
Priority #2: Run Key Modification
Process = "reg.exe" AND
CommandLine CONTAINS "add" AND
CommandLine CONTAINS "\Run"
→ ALERT: HIGH - Persistence attempt
Priority #3: Security Tampering
Process = "reg.exe" AND
CommandLine CONTAINS "Windows Defender"
→ ALERT: CRITICAL - Security tampering
Sigma Rule:
title: Registry Credential Extraction
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\reg.exe'
CommandLine|contains|all:
- 'save'
- 'HKLM'
filter:
CommandLine|contains:
- 'SAM'
- 'SECURITY'
- 'SYSTEM'
condition: selection and filter
level: critical
Remediation Steps
Protection and Remediation
Defense: Monitor Registry Changes
Enable registry auditing for critical keys.
Defense: Restrict reg.exe
Restrict to administrators only.
If Compromise Suspected
- Check Run/RunOnce keys
- Verify no SAM exports exist
- Review security policy changes
- Check for UAC bypass keys
- Export and review recent changes
- Restore from known-good backup
Investigation Checklist
Investigation Checklist
- Review full command line arguments
- Check for SAM/SECURITY exports
- Review Run key modifications
- Check Windows Defender registry
- Review recent registry changes
- Check for UAC bypass patterns
- Verify no credential hives exported
- Review service registry entries