Disable Show Hidden Files
Description
The following analytic is to identify a modification in the Windows registry to prevent users from seeing all the files with hidden attributes. This event or techniques are known on some worm and trojan spy malware that will drop hidden files on the infected machine.
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2021-03-31
- Author: Teoderick Contreras, Mauricio Velazco, Splunk
- ID: 6f3ccfa2-91fe-11eb-8f9b-acde48001122
ATT&CK
| ID | Technique | Tactic |
|---|---|---|
| T1564.001 | Hidden Files and Directories | Defense Evasion |
| T1562.001 | Disable or Modify Tools | Defense Evasion |
| T1564 | Hide Artifacts | Defense Evasion |
| T1562 | Impair Defenses | Defense Evasion |
Search
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden" OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt" Registry.registry_value_data = "0x00000001") OR (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden" Registry.registry_value_data = "0x00000000") by Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
|`security_content_ctime(lastTime)`
| `disable_show_hidden_files_filter`
Associated Analytic Story
How To Implement
To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the Endpoint datamodel in the Registry node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.
Required field
- _time
- Registry.registry_key_name
- Registry.registry_path
- Registry.user
- Registry.dest
- Registry.registry_value_nam
Kill Chain Phase
- Exploitation
Known False Positives
unknown
RBA
| Risk Score | Impact | Confidence | Message |
|---|---|---|---|
| 40.0 | 40 | 100 | Disabled 'Show Hidden Files' on $dest$ |
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-security.log
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-system.log
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log
source | version: 1