Skip to content
Threat Feed
medium advisory

Windows Folder Options Disabled via Registry Modification

Attackers modify the Windows registry to disable the Folder Options feature, preventing users from showing hidden files and file extensions, commonly used by malware to conceal malicious files and deceive users with fake file extensions.

Attackers disable the Windows Folder Options feature by modifying specific registry keys, preventing users from viewing hidden files and file extensions. This technique is often employed by malware to conceal malicious files, making it difficult for users to identify and remove them. The activity involves modifying the registry path *\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions with a value of 0x00000001. Detecting this registry modification can help identify potential malware infections or unauthorized attempts to hide files on a system. This technique is associated with CISA Alert AA23-347A.

Attack Chain

  1. An attacker gains initial access to the target system, potentially through phishing or exploiting a vulnerability.
  2. The attacker executes a script or program, possibly via cmd.exe or PowerShell.
  3. The script modifies the registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions or HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions to disable folder options.
  4. The registry value is set to 0x00000001, effectively hiding files and extensions.
  5. The attacker deploys or activates malware, which is now hidden from plain sight.
  6. The malware performs its intended malicious actions, such as data exfiltration or lateral movement.
  7. The user is less likely to notice the malware due to the hidden files and extensions.

Impact

Successful exploitation allows attackers to hide malicious files and programs from users, increasing the dwell time of malware on the system and hindering detection and remediation efforts. This can lead to data breaches, system compromise, and other malicious activities.

Recommendation

  • Enable Sysmon Event ID 13 logging to monitor registry modifications.
  • Deploy the provided Sigma rule to detect modifications to the NoFolderOptions registry key and tune for your environment.
  • Investigate any alerts generated by the Sigma rule, focusing on the associated processes and users.

Detection coverage 2

Detect Disabling Folder Options via Registry

medium

Detects modification of the Windows registry to disable the Folder Options feature.

sigma tactics: defense_evasion sources: registry_set, windows

Detect Disabling Folder Options via Registry (Alternate Hive)

medium

Detects modification of the Windows registry to disable the Folder Options feature in the CurrentUser hive.

sigma tactics: defense_evasion sources: registry_set, windows

Detection queries are kept inside the platform. Get full rules →