Suspicious Hex-Encoded Values in Registry Keys

Rule Info

Name
Suspicious Hex-Encoded Values in Registry Keys
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects suspicious registry modifications where LOLBins (Living Off The Land Binaries) write long hexadecimal-encoded strings to user-writable registry keys. This pattern is commonly observed in fileless malware attacks where threat actors store encoded payloads (shellcode, scripts, or commands) in the registry to evade detection and maintain persistence. The rule specifically monitors PowerShell, reg.exe, script engines, and other commonly abused Windows binaries that adversaries leverage for registry manipulation.
Reference
https://detect.fyi/hunting-fileless-malware-in-the-windows-registry-1339ccde00ad
Date
2025-08-13 00:00:00
Modified
None
Id
5a5cb696-1b2f-4e3f-a99c-cdaa99e5ce88
Tags
attack.defense-evasion attack.t1112 attack.t1027
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022