Displaying Hidden Files Feature Disabled
Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files. This technique is abused by several malware families to hide their files from normal users.
Sigma rule (View on GitHub)
1title: Displaying Hidden Files Feature Disabled
2id: 5a5152f1-463f-436b-b2f5-8eceb3964b42
3status: experimental
4description: |
5 Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files.
6 This technique is abused by several malware families to hide their files from normal users.
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-8---hide-files-through-registry
9author: frack113
10date: 2022/04/02
11modified: 2024/03/26
12tags:
13 - attack.defense_evasion
14 - attack.t1564.001
15logsource:
16 category: registry_set
17 product: windows
18detection:
19 selection:
20 TargetObject|endswith:
21 - '\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden'
22 - '\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden'
23 Details: 'DWORD (0x00000000)'
24 condition: selection
25falsepositives:
26 - Unknown
27level: medium
References
Related rules
- Registry Persistence via Service in Safe Mode
- Set Files as System Files Using Attrib.EXE
- Set Suspicious Files as System Files Using Attrib.EXE
- Use Icacls to Hide File to Everyone
- PowerShell Logging Disabled Via Registry Key Tampering