← Back to SOC feed Coverage →

suspicious-base64-encoded-registry-keys

kql MEDIUM Azure-Sentinel
T1112
DeviceRegistryEvents
huntingmicrosoftofficial
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Azure-Sentinel →
Retrieved: 2026-05-08T11:00:00Z · Confidence: medium

Hunt Hypothesis

Adversaries may encode registry keys in base64 to evade detection while persisting or modifying system configurations. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential persistence mechanisms and early-stage compromise attempts.

KQL Query

DeviceRegistryEvents
| where Timestamp > ago(30d)
| where ActionType has_any ('RegistryValueSet','RegistryKeyCreated')
| where isnotempty(RegistryValueData)
| where RegistryValueData matches regex @'\s+([A-Za-z0-9+/]{4,}(?:[A-Za-z0-9+/]{2}[=]{2}|[A-Za-z0-9+/]{3}=)?)\s+' or RegistryValueData matches regex @'^(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=)?$'
| extend ExtractedB64 = trim(" ",extract(@'(?:\s+)[A-Za-z0-9+\/=]+(?:\s+)',0,RegistryValueData))
| extend DecodedCommand = replace(@'\x00','', base64_decode_tostring(RegistryValueData))
| extend ExtractedDecodedCommand = base64_decode_tostring(ExtractedB64)
| where isnotempty(DecodedCommand) or isnotempty(ExtractedDecodedCommand)
| project Timestamp, DeviceName, DecodedCommand, ExtractedDecodedCommand, RegistryValueData, RegistryKey, RegistryValueName, RegistryValueType, PreviousRegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName

Analytic Rule Definition

id: 4751319e-6d20-4c26-893d-baaad90f0747
name: suspicious-base64-encoded-registry-keys
description: |
  Looks for suspicious base64 encoded registry keys being created.
  Author: Jouni Mikkola
  References:
  https://threathunt.blog/registry-hunts/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceRegistryEvents
tactics:
- Defense evasion
relevantTechniques:
  - T1112
query: |
  DeviceRegistryEvents
  | where Timestamp > ago(30d)
  | where ActionType has_any ('RegistryValueSet','RegistryKeyCreated')
  | where isnotempty(RegistryValueData)
  | where RegistryValueData matches regex @'\s+([A-Za-z0-9+/]{4,}(?:[A-Za-z0-9+/]{2}[=]{2}|[A-Za-z0-9+/]{3}=)?)\s+' or RegistryValueData matches regex @'^(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=)?$'
  | extend ExtractedB64 = trim(" ",extract(@'(?:\s+)[A-Za-z0-9+\/=]+(?:\s+)',0,RegistryValueData))
  | extend DecodedCommand = replace(@'\x00','', base64_decode_tostring(RegistryValueData))
  | extend ExtractedDecodedCommand = base64_decode_tostring(ExtractedB64)
  | where isnotempty(DecodedCommand) or isnotempty(ExtractedDecodedCommand)
  | project Timestamp, DeviceName, DecodedCommand, ExtractedDecodedCommand, RegistryValueData, RegistryKey, RegistryValueName, RegistryValueType, PreviousRegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName

Required Data Sources

Sentinel TableNotes
DeviceRegistryEventsEnsure this data connector is enabled

MITRE ATT&CK Context

References

False Positive Guidance

Original source: https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Defense evasion/suspicious-base64-encoded-registry-keys.yaml