Displaying Hidden Files Feature Disabled
Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files. This technique is abused by several malware families to hide their files from normal users.
Sigma rule (View on GitHub)
1title: Displaying Hidden Files Feature Disabled
2id: 5a5152f1-463f-436b-b2f5-8eceb3964b42
3status: experimental
4description: |
5 Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files.
6 This technique is abused by several malware families to hide their files from normal users.
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-8---hide-files-through-registry
9author: frack113
10date: 2022-04-02
11modified: 2024-03-26
12tags:
13 - attack.defense-evasion
14 - attack.t1564.001
15logsource:
16 category: registry_set
17 product: windows
18detection:
19 selection:
20 TargetObject|endswith:
21 - '\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden'
22 - '\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden'
23 Details: 'DWORD (0x00000000)'
24 condition: selection
25falsepositives:
26 - Unknown
27level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Hidden Files and Directories
- Hiding Files with Attrib.exe
- PowerShell Logging Disabled Via Registry Key Tampering
- Registry Persistence via Service in Safe Mode
- Set Suspicious Files as System Files Using Attrib.EXE