Registry Hide Function from User

calendar Aug 17, 2023 · attack.defense_evasion attack.t1112  ·
Share on: linkedin copy

Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)

Sigma rule (View on GitHub)

 1title: Registry Hide Function from User
 2id: 5a93eb65-dffa-4543-b761-94aa60098fb6
 3status: test
 4description: Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md
 7author: frack113
 8date: 2022/03/18
 9modified: 2023/08/17
10tags:
11    - attack.defense_evasion
12    - attack.t1112
13logsource:
14    category: registry_set
15    product: windows
16detection:
17    selection_set_1:
18        TargetObject|endswith:
19            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideClock'
20            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth'
21            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCANetwork'
22            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAPower'
23            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAVolume'
24        Details: 'DWORD (0x00000001)'
25    selection_set_0:
26        TargetObject|endswith:
27            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip'
28            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor'
29        Details: 'DWORD (0x00000000)'
30    condition: 1 of selection_set_*
31falsepositives:
32    - Legitimate admin script
33level: medium

References

Related rules

to-top