Windows Registry Modification to Disable Show Hidden Files

Attackers often modify Windows Registry settings to disable the display of hidden files and file extensions to conceal malicious files and activities from users and security tools. This technique allows malware, such as worms and trojan spyware, to operate covertly on compromised systems. By preventing the display of hidden files and extensions, attackers can make it more difficult for analysts and users to identify and remove malicious files. This activity is typically performed post-compromise to further entrench the attacker’s presence and maintain stealth within the environment. This technique is often combined with other defense evasion tactics.

Attack Chain

1. Initial Access: An attacker gains initial access to the system through various methods, such as phishing, exploitation of vulnerabilities, or compromised credentials.
2. Privilege Escalation (if necessary): The attacker escalates privileges to obtain the necessary permissions to modify the Windows Registry.
3. Registry Modification: The attacker modifies the following registry keys:
   • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
   • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
   • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
4. Setting Changes: The attacker sets the Hidden value to 2, HideFileExt to 1, and ShowSuperHidden to 0, effectively disabling the display of hidden files and file extensions.
5. Persistence: The attacker may establish persistence through other means to ensure continued access, even if the system is restarted.
6. Concealment: The attacker hides malicious files within the compromised system, taking advantage of the disabled display settings.
7. Lateral Movement & Execution: The attacker moves laterally within the network, executing malicious code on other systems, while maintaining stealth through hidden files.

Impact

Disabling the display of hidden files allows attackers to conceal their malicious activities on compromised systems, making it difficult for users and security tools to detect and remove the threat. If successful, this can lead to extended periods of undetected malicious activity, increasing the risk of data theft, system compromise, and other security incidents. This impacts all Windows systems where the registry keys can be modified.

Recommendation

• Enable Sysmon Event ID 13 (RegistryEvent) logging to capture registry modifications as described in the data_source section.
• Deploy the Sigma rule “Detect Registry Modification to Hide Files” to your SIEM and tune for your environment.
• Investigate any alerts generated by the Sigma rule to determine the legitimacy of the registry modifications.
• Use the provided reference link to understand the context surrounding registry changes that disable the display of hidden files.
• Consider implementing additional monitoring and alerting for other defense evasion techniques to detect and respond to malicious activity comprehensively.