Registry Hide Function from User
Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)
Sigma rule (View on GitHub)
1title: Registry Hide Function from User
2id: 5a93eb65-dffa-4543-b761-94aa60098fb6
3status: test
4description: Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md
7author: frack113
8date: 2022-03-18
9modified: 2023-08-17
10tags:
11 - attack.persistence
12 - attack.defense-evasion
13 - attack.t1112
14logsource:
15 category: registry_set
16 product: windows
17detection:
18 selection_set_1:
19 TargetObject|endswith:
20 - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideClock'
21 - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth'
22 - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCANetwork'
23 - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAPower'
24 - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAVolume'
25 Details: 'DWORD (0x00000001)'
26 selection_set_0:
27 TargetObject|endswith:
28 - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip'
29 - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor'
30 Details: 'DWORD (0x00000000)'
31 condition: 1 of selection_set_*
32falsepositives:
33 - Legitimate admin script
34level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Allow RDP Remote Assistance Feature
- Blackbyte Ransomware Registry
- Blue Mockingbird