| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .001 | Command and Scripting Interpreter:PowerShell | RegDuke can extract and execute PowerShell scripts from C2 communications.[1] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | RegDuke can decrypt strings with a key either stored in the Registry or hardcoded in the code.[1] | |
| Enterprise | T1546 | .003 | Event Triggered Execution:Windows Management Instrumentation Event Subscription | RegDuke can persist using a WMI consumer that is launched every time a process named WINWORD.EXE is started.[1] |
| Enterprise | T1105 | Ingress Tool Transfer | ||
| Enterprise | T1112 | Modify Registry | RegDuke can create seemingly legitimate Registry key to store its encryption key.[1] | |
| Enterprise | T1027 | Obfuscated Files or Information | RegDuke can use control-flow flattening or the commercially available .NET Reactor for obfuscation.[1] | |
| .003 | Steganography | RegDuke can hide data in images, including use of the Least Significant Bit (LSB).[1] | ||
| .011 | Fileless Storage | |||
| Enterprise | T1102 | .002 | Web Service:Bidirectional Communication | |
| ID | Name | Description |
|---|---|---|
| C0023 | Operation Ghost | ForOperation Ghost,APT29 usedRegDuke as a first-stage implant.[1] |