Skip to content
Threat Feed
high advisory

Detection of Hidden Encoded Executables via Registry Modification

Attackers can hide and execute malicious code by storing it in encoded form within the Windows Registry and then executing it, evading traditional file-based detection mechanisms.

Attackers are increasingly leveraging the Windows Registry to store and execute malicious code in an encoded format. This technique allows them to bypass traditional file-based antivirus and application control solutions, as the malicious code is not directly present as an executable file on the disk. This approach can be used for persistence, defense evasion, and lateral movement. While the specific campaigns leveraging this technique are not detailed, the underlying method poses a significant threat to Windows environments. Defenders should focus on detecting suspicious registry modifications and the execution of code from within the registry.

Attack Chain

  1. The attacker gains initial access to the system through an exploit or compromised credentials (details not specified in source).
  2. The attacker uses a scripting language (e.g., PowerShell, cmd.exe) to create or modify a registry key to store the encoded malicious payload.
  3. The encoded payload is written to a specific registry key under HKLM or HKCU.
  4. The attacker uses another script or command to read the encoded payload from the registry.
  5. The script decodes the payload using built-in functions or custom decoding routines.
  6. The decoded payload is then executed directly in memory, without ever touching the disk as a standalone executable.
  7. The executed code performs malicious actions, such as establishing persistence, downloading additional malware, or exfiltrating data.

Impact

Successful exploitation allows attackers to execute arbitrary code on the target system, bypassing traditional security controls. This can lead to data theft, system compromise, and potentially a full network breach. The encoded nature of the payload makes detection challenging, increasing the dwell time and potential damage caused by the attacker. The lack of specific details about observed campaigns makes it difficult to quantify victim numbers or specific sector targeting, but the potential impact is widespread.

Detection coverage 3

Detect Registry Modification with Encoded Executable

high

Detects modification of registry keys with values that appear to be encoded executable content.

sigma tactics: defense_evasion techniques: T1112 sources: registry_set, windows

Detect Process Execution with Decoded Payload

medium

Detects processes spawned with arguments indicative of decoding and executing a payload from the registry.

sigma tactics: execution techniques: T1059.001 sources: process_creation, windows

Detect Certutil Usage for Decoding

medium

Detects certutil being used to decode files, which could be indicative of malware being installed.

sigma tactics: defense_evasion techniques: T1140 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →