Displaying Hidden Files Feature Disabled

Mar 26, 2024 · attack.defense_evasion attack.t1564.001 ·

Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files. This technique is abused by several malware families to hide their files from normal users.

Sigma rule (View on GitHub)

 1title: Displaying Hidden Files Feature Disabled
 2id: 5a5152f1-463f-436b-b2f5-8eceb3964b42
 3status: experimental
 4description: |
 5    Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files.
 6    This technique is abused by several malware families to hide their files from normal users.    
 7references:
 8    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-8---hide-files-through-registry
 9author: frack113
10date: 2022/04/02
11modified: 2024/03/26
12tags:
13    - attack.defense_evasion
14    - attack.t1564.001
15logsource:
16    category: registry_set
17    product: windows
18detection:
19    selection:
20        TargetObject|endswith:
21            - '\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden'
22            - '\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden'
23        Details: 'DWORD (0x00000000)'
24    condition: selection
25falsepositives:
26    - Unknown
27level: medium

References

atomic-red-team/atomics/T1564.001/T1564.001.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

Read More

Displaying Hidden Files Feature Disabled

Sigma rule (View on GitHub)

References

atomic-red-team/atomics/T1564.001/T1564.001.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

Related rules