Encoded Executable Stored in the Registry

 1[metadata]
 2creation_date = "2020/11/25"
 3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
 4maturity = "production"
 5min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 6min_stack_version = "8.14.0"
 7updated_date = "2025/01/15"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies registry write modifications to hide an encoded portable executable. This could be indicative of adversary
13defense evasion by avoiding the storing of malicious content directly on disk.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", "winlogbeat-*", "logs-m365_defender.event-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Encoded Executable Stored in the Registry"
20risk_score = 47
21rule_id = "93c1ce76-494c-4f01-8167-35edfb52f7b1"
22severity = "medium"
23tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Resources: Investigation Guide"]
24timestamp_override = "event.ingested"
25type = "eql"
26
27query = '''
28registry where host.os.type == "windows" and
29/* update here with encoding combinations */
30 registry.data.strings : "TVqQAAMAAAAEAAAA*"
31'''
32note = """## Triage and analysis
33
34> **Disclaimer**:
35> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
36
37### Investigating Encoded Executable Stored in the Registry
38
39Windows Registry is a hierarchical database storing low-level settings for the OS and applications. Adversaries exploit it to hide encoded executables, evading detection by avoiding direct disk storage. The detection rule identifies suspicious registry modifications, specifically targeting encoded patterns indicative of hidden executables, thus flagging potential defense evasion tactics.
40
41### Possible investigation steps
42
43- Review the registry path and key where the modification was detected to understand the context and potential impact on the system.
44- Analyze the encoded data string "TVqQAAMAAAAEAAAA*" to determine if it corresponds to a known malicious executable or pattern.
45- Check the modification timestamp to correlate with any other suspicious activities or events on the system around the same time.
46- Investigate the process or user account responsible for the registry modification to assess if it is associated with legitimate activity or known threats.
47- Cross-reference the alert with other data sources such as Sysmon, Microsoft Defender for Endpoint, or SentinelOne for additional context or corroborating evidence of malicious behavior.
48- Evaluate the system's network activity and connections during the time of the registry modification to identify any potential command and control communications or data exfiltration attempts.
49
50### False positive analysis
51
52- Legitimate software installations or updates may write encoded executables to the registry as part of their normal operation. Users can create exceptions for known software by identifying their specific registry paths and excluding them from the detection rule.
53- Security tools and system management software might store encoded data in the registry for legitimate purposes. Review the registry paths and data associated with these tools and exclude them if they are verified as non-threatening.
54- Custom scripts or enterprise applications developed in-house may use encoded executables in the registry for deployment or configuration purposes. Work with development teams to identify these scripts and add exceptions for their registry modifications.
55- Regularly review and update the list of exceptions to ensure that only verified and necessary exclusions are maintained, minimizing the risk of overlooking potential threats.
56
57### Response and remediation
58
59- Isolate the affected system from the network to prevent further spread of the potential threat.
60- Use endpoint detection and response (EDR) tools to terminate any suspicious processes associated with the encoded executable.
61- Remove the malicious registry entry by using a trusted registry editor or automated script to ensure the encoded executable is no longer stored in the registry.
62- Conduct a full system scan using updated antivirus and anti-malware tools to identify and remove any additional threats or remnants of the attack.
63- Restore the system from a known good backup if the integrity of the system is compromised and cannot be assured through cleaning.
64- Monitor the system and network for any signs of re-infection or similar registry modifications, adjusting detection rules if necessary to enhance future threat identification.
65- Escalate the incident to the security operations center (SOC) or relevant cybersecurity team for further analysis and to determine if additional systems are affected."""
66
67
68[[rule.threat]]
69framework = "MITRE ATT&CK"
70[[rule.threat.technique]]
71id = "T1112"
72name = "Modify Registry"
73reference = "https://attack.mitre.org/techniques/T1112/"
74
75[[rule.threat.technique]]
76id = "T1140"
77name = "Deobfuscate/Decode Files or Information"
78reference = "https://attack.mitre.org/techniques/T1140/"
79
80
81[rule.threat.tactic]
82id = "TA0005"
83name = "Defense Evasion"
84reference = "https://attack.mitre.org/tactics/TA0005/"