Modification of Explorer Hidden Keys

Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users.

Sigma rule (View on GitHub)

 1title: Modification of Explorer Hidden Keys
 2id: 5a5152f1-463f-436b-b2f5-8eceb3964b42
 3status: experimental
 4description: Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-8---hide-files-through-registry
 7author: frack113
 8date: 2022/04/02
 9modified: 2023/08/17
10tags:
11    - attack.defense_evasion
12    - attack.t1564.001
13logsource:
14    category: registry_set
15    product: windows
16detection:
17    selection:
18        TargetObject:
19            - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
20            - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
21        Details: 'DWORD (0x00000000)'
22    condition: selection
23falsepositives:
24    - Unknown
25level: medium

References

Related rules

to-top