Encoded Executable Stored in the Registry
This rule detects registry modifications used to hide encoded portable executables, indicating a defense evasion technique where adversaries avoid storing malicious content directly on disk by writing encoded executables to the Windows Registry.
Attackers may attempt to evade defenses by storing encoded executable content within the Windows Registry. This technique avoids writing PE files directly to disk, which can be a trigger for many endpoint detection systems. This activity involves modifying registry keys to store Base64 or otherwise encoded executables, which are then later decoded and executed. The signature TVqQAAMAAAAEAAAA* is often observed as a prefix for encoded executables. This behavior is often incorporated into malware loaders, droppers, and other tools to conceal their true intent. The Elastic detection rule was published in 2020 and last updated in April 2026. This technique is relevant for defenders because it can bypass traditional file-based scanning and signature-based detection mechanisms.
Attack Chain
- An attacker gains initial access to the target system (e.g., via phishing or exploit).
- The attacker executes a script or program (e.g., PowerShell or cmd.exe) to modify the registry.
- The script writes an encoded executable (identified by the signature
TVqQAAMAAAAEAAAA*) into a registry key value. - The attacker uses another script or program to read the encoded executable from the registry.
- The script decodes the executable (e.g., using Base64 decoding).
- The decoded executable is written to a temporary location in memory or on disk.
- The attacker executes the decoded executable using process injection or other execution techniques.
- The executed code performs malicious actions, such as establishing persistence, stealing credentials, or deploying ransomware.
Impact
Successful exploitation allows attackers to conceal malicious code within the registry, evading traditional file-based detection methods. This can lead to prolonged compromise of the targeted system, enabling attackers to perform various malicious activities, including data theft, lateral movement, and deployment of ransomware. The number of victims and specific sectors targeted are dependent on the attacker's objectives.
Recommendation
- Deploy the "Encoded Executable Stored in the Registry" Sigma rule to detect suspicious registry modifications indicative of encoded executables being stored (rules).
- Enable Sysmon registry event logging to ensure the required data is available for the provided Sigma rules (rules, logsource).
- Investigate any registry modifications containing the encoded string
TVqQAAMAAAAEAAAA*to identify potentially malicious activity (iocs). - Monitor process creation events for processes spawned from unusual locations or with unusual parent processes after registry modifications (rules).
Detection coverage 2
Encoded Executable Stored in the Registry (Sysmon)
mediumDetects registry write operations that store encoded executable data, a common technique for defense evasion.
Encoded Executable Stored in the Registry (Process Creation)
lowDetects process creation events where the command line contains a registry query to read an encoded executable, followed by decoding and execution.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
1
string
| Type | Value |
|---|---|
| string | TVqQAAMAAAAEAAAA* |