Reg.exe used to hide files/directories via registry keys

Description

The search looks for command-line arguments used to hide a file or directory using the reg add command.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Endpoint Compromise

Alert Volume

Medium (?)

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Defense Evasion
Persistence

MITRE ATT&CK Techniques

Registry Run Keys / Startup Folder
Modify Registry

MITRE Threat Groups

APT19
APT32
APT38
APT41
Blue Mockingbird
Dragonfly 2.0
FIN8
Gamaredon Group
Gorgon Group
Honeybee
Lazarus Group
Patchwork
Silence
Threat Group-3390
Turla
Wizard Spider

Kill Chain Phases

Actions On Objectives

Data Sources

Endpoint Detection and Response

   Help

Reg.exe used to hide files/directories via registry keys Help

Reg.exe is a binary native to Windows platform used to edit the registry hives of the system. Attackers can leverage this binary to hide files by passing in arguments that are used to hide the files. In the search, we first gather results with keywords, add, Hidden, and REG_DWORD, that will be in the raw event and filter by process and the command-line. We then leverage regular expressions on the command-line field to look for /d value as 2 which is responsible for hiding a file or directory.