Registry Hide Function from User
Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)
Sigma rule (View on GitHub)
1title: Registry Hide Function from User
2id: 5a93eb65-dffa-4543-b761-94aa60098fb6
3status: test
4description: Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md
7author: frack113
8date: 2022-03-18
9modified: 2023-08-17
10tags:
11 - attack.defense-evasion
12 - attack.t1112
13logsource:
14 category: registry_set
15 product: windows
16detection:
17 selection_set_1:
18 TargetObject|endswith:
19 - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideClock'
20 - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth'
21 - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCANetwork'
22 - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAPower'
23 - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAVolume'
24 Details: 'DWORD (0x00000001)'
25 selection_set_0:
26 TargetObject|endswith:
27 - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip'
28 - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor'
29 Details: 'DWORD (0x00000000)'
30 condition: 1 of selection_set_*
31falsepositives:
32 - Legitimate admin script
33level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Allow RDP Remote Assistance Feature
- Blackbyte Ransomware Registry
- CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry