PowerShell Executing Base64 Code From Registry

Rule Info

Name
PowerShell Executing Base64 Code From Registry
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects PowerShell command lines that retrieve base64-encoded content from the registry and execute it. Threat actors often stage their payloads in the registry in fileless attacks, using PowerShell to decode and execute the malicious code.
Reference
https://isc.sans.edu/diary/28878
Date
2025-08-13 00:00:00
Modified
None
Id
77e9b5b1-0e04-4d7f-8144-02b627d04890
Tags
attack.execution attack.t1059.001 attack.defense-evasion attack.t1027.011
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022