Reg.exe used to hide files/directories via registry keys
The search looks for command-line arguments used to hide a file or directory using the reg add command.
This content is not mapped to any local saved search. Add mapping
Reg.exe used to hide files/directories via registry keys Help
Reg.exe is a binary native to Windows platform used to edit the registry hives of the system. Attackers can leverage this binary to hide files by passing in arguments that are used to hide the files. In the search, we first gather results with keywords, add, Hidden, and REG_DWORD, that will be in the raw event and filter by process and the command-line. We then leverage regular expressions on the command-line field to look for /d value as 2 which is responsible for hiding a file or directory.