{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/encoded-executable/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","registry-modification","encoded-executable"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may attempt to evade defenses by storing encoded executable content within the Windows Registry. This technique avoids writing PE files directly to disk, which can be a trigger for many endpoint detection systems. This activity involves modifying registry keys to store Base64 or otherwise encoded executables, which are then later decoded and executed. The signature \u003ccode\u003eTVqQAAMAAAAEAAAA*\u003c/code\u003e is often observed as a prefix for encoded executables. This behavior is often incorporated into malware loaders, droppers, and other tools to conceal their true intent. The Elastic detection rule was published in 2020 and last updated in April 2026. This technique is relevant for defenders because it can bypass traditional file-based scanning and signature-based detection mechanisms.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system (e.g., via phishing or exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a script or program (e.g., PowerShell or cmd.exe) to modify the registry.\u003c/li\u003e\n\u003cli\u003eThe script writes an encoded executable (identified by the signature \u003ccode\u003eTVqQAAMAAAAEAAAA*\u003c/code\u003e) into a registry key value.\u003c/li\u003e\n\u003cli\u003eThe attacker uses another script or program to read the encoded executable from the registry.\u003c/li\u003e\n\u003cli\u003eThe script decodes the executable (e.g., using Base64 decoding).\u003c/li\u003e\n\u003cli\u003eThe decoded executable is written to a temporary location in memory or on disk.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the decoded executable using process injection or other execution techniques.\u003c/li\u003e\n\u003cli\u003eThe executed code performs malicious actions, such as establishing persistence, stealing credentials, or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to conceal malicious code within the registry, evading traditional file-based detection methods. This can lead to prolonged compromise of the targeted system, enabling attackers to perform various malicious activities, including data theft, lateral movement, and deployment of ransomware. The number of victims and specific sectors targeted are dependent on the attacker's objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026quot;Encoded Executable Stored in the Registry\u0026quot; Sigma rule to detect suspicious registry modifications indicative of encoded executables being stored (rules).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to ensure the required data is available for the provided Sigma rules (rules, logsource).\u003c/li\u003e\n\u003cli\u003eInvestigate any registry modifications containing the encoded string \u003ccode\u003eTVqQAAMAAAAEAAAA*\u003c/code\u003e to identify potentially malicious activity (iocs).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for processes spawned from unusual locations or with unusual parent processes after registry modifications (rules).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T10:00:00Z","date_published":"2024-01-30T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-30-encoded-executable-registry/","summary":"This rule detects registry modifications used to hide encoded portable executables, indicating a defense evasion technique where adversaries avoid storing malicious content directly on disk by writing encoded executables to the Windows Registry.","title":"Encoded Executable Stored in the Registry","url":"https://feed.craftedsignal.io/briefs/2024-01-30-encoded-executable-registry/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","registry-modification","encoded-executable"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are increasingly leveraging the Windows Registry to store and execute malicious code in an encoded format. This technique allows them to bypass traditional file-based antivirus and application control solutions, as the malicious code is not directly present as an executable file on the disk. This approach can be used for persistence, defense evasion, and lateral movement. While the specific campaigns leveraging this technique are not detailed, the underlying method poses a significant threat to Windows environments. Defenders should focus on detecting suspicious registry modifications and the execution of code from within the registry.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system through an exploit or compromised credentials (details not specified in source).\u003c/li\u003e\n\u003cli\u003eThe attacker uses a scripting language (e.g., PowerShell, cmd.exe) to create or modify a registry key to store the encoded malicious payload.\u003c/li\u003e\n\u003cli\u003eThe encoded payload is written to a specific registry key under \u003ccode\u003eHKLM\u003c/code\u003e or \u003ccode\u003eHKCU\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses another script or command to read the encoded payload from the registry.\u003c/li\u003e\n\u003cli\u003eThe script decodes the payload using built-in functions or custom decoding routines.\u003c/li\u003e\n\u003cli\u003eThe decoded payload is then executed directly in memory, without ever touching the disk as a standalone executable.\u003c/li\u003e\n\u003cli\u003eThe executed code performs malicious actions, such as establishing persistence, downloading additional malware, or exfiltrating data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code on the target system, bypassing traditional security controls. This can lead to data theft, system compromise, and potentially a full network breach. The encoded nature of the payload makes detection challenging, increasing the dwell time and potential damage caused by the attacker. The lack of specific details about observed campaigns makes it difficult to quantify victim numbers or specific sector targeting, but the potential impact is widespread.\u003c/p\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-hide-encoded-executable-registry/","summary":"Attackers can hide and execute malicious code by storing it in encoded form within the Windows Registry and then executing it, evading traditional file-based detection mechanisms.","title":"Detection of Hidden Encoded Executables via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-03-hide-encoded-executable-registry/"}],"language":"en","title":"CraftedSignal Threat Feed - Encoded-Executable","version":"https://jsonfeed.org/version/1.1"}