title: PowerShell Logging Disabled Via Registry Key Tampering
id: fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7
status: test
description: Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-32---windows-powershell-logging-disabled
author: frack113
date: 2022-04-02
modified: 2023-08-17
tags:
    - attack.stealth
    - attack.defense-impairment
    - attack.t1564.001
    - attack.t1112
    - attack.persistence
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\Microsoft\Windows\PowerShell\' # PowerShell 5
            - '\Microsoft\PowerShellCore\' # PowerShell 7
        TargetObject|endswith:
            - '\ModuleLogging\EnableModuleLogging'
            - '\ScriptBlockLogging\EnableScriptBlockLogging'
            - '\ScriptBlockLogging\EnableScriptBlockInvocationLogging'
            - '\Transcription\EnableTranscripting'
            - '\Transcription\EnableInvocationHeader'
            - '\EnableScripts'
        Details: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled/info.yml
simulation:
    - type: atomic-red-team
      name: Disable PowerShell Logging via Registry
      technique: T1112
      atomic_guid: 95b25212-91a7-42ff-9613-124aca6845a8

title: Registry Persistence via Service in Safe Mode
id: 1547e27c-3974-43e2-a7d7-7f484fb928ec
status: test
description: Detects the modification of the registry to allow a driver or service to persist in Safe Mode.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network
author: frack113
date: 2022-04-04
modified: 2025-10-22
tags:
    - attack.stealth
    - attack.t1564.001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\Control\SafeBoot\Minimal\'
            - '\Control\SafeBoot\Network\'
        TargetObject|endswith: '\(Default)'
        Details: 'Service'
    filter_optional_sophos:
        Image: 'C:\WINDOWS\system32\msiexec.exe'
        TargetObject|endswith:
            - '\Control\SafeBoot\Minimal\SAVService\(Default)'
            - '\Control\SafeBoot\Network\SAVService\(Default)'
    filter_optional_mbamservice:
        Image|endswith: '\MBAMInstallerService.exe'
        TargetObject|endswith: '\MBAMService\(Default)'
        Details: 'Service'
    filter_optional_hexnode:
        Image: 'C:\Hexnode\Hexnode Agent\Current\HexnodeAgent.exe'
        TargetObject|endswith:
            - '\Control\SafeBoot\Minimal\Hexnode Updater\(Default)'
            - '\Control\SafeBoot\Network\Hexnode Updater\(Default)'
            - '\Control\SafeBoot\Minimal\Hexnode Agent\(Default)'
            - '\Control\SafeBoot\Network\Hexnode Agent\(Default)'
        Details: 'Service'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode/info.yml
simulation:
    - type: atomic-red-team
      name: Windows Add Registry Value to Load Service in Safe Mode without Network
      technique: T1112
      atomic_guid: 1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5
    - type: atomic-red-team
      name: Windows Add Registry Value to Load Service in Safe Mode with Network
      technique: T1112
      atomic_guid: c173c948-65e5-499c-afbe-433722ed5bd4

title: Set Suspicious Files as System Files Using Attrib.EXE
id: efec536f-72e8-4656-8960-5e85d091345b
related:
    - id: bb19e94c-59ae-4c15-8c12-c563d23fe52b
      type: derived
status: test
description: |
    Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs
references:
    - https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4
    - https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0
    - https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-28
modified: 2023-03-14
tags:
    - attack.stealth
    - attack.t1564.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\attrib.exe'
        - OriginalFileName: 'ATTRIB.EXE'
    selection_cli:
        CommandLine|contains: ' +s'
    selection_paths:
        CommandLine|contains:
            - ' %' # Custom Environment variable
            - '\Users\Public\'
            - '\AppData\Local\'
            - '\ProgramData\'
            - '\Downloads\'
            - '\Windows\Temp\'
    selection_ext:
        CommandLine|contains:
            - '.bat'
            - '.dll'
            - '.exe'
            - '.hta'
            - '.ps1'
            - '.vbe'
            - '.vbs'
    filter_optional_installer:
        CommandLine|contains|all:
            - '\Windows\TEMP\'
            - '.exe'
    condition: all of selection* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high

title: Displaying Hidden Files Feature Disabled
id: 5a5152f1-463f-436b-b2f5-8eceb3964b42
status: test
description: |
    Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files.
    This technique is abused by several malware families to hide their files from normal users.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-8---hide-files-through-registry
author: frack113
date: 2022-04-02
modified: 2024-03-26
tags:
    - attack.stealth
    - attack.t1564.001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith:
            - '\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden'
            - '\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden'
        Details: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Hiding Files with Attrib.exe
id: 4281cb20-2994-4580-aa63-c8b86d019934
status: test
description: Detects usage of attrib.exe to hide files from users.
references:
    - https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/
    - https://www.uptycs.com/blog/lolbins-are-no-laughing-matter
author: Sami Ruohonen
date: 2019-01-16
modified: 2023-03-14
tags:
    - attack.stealth
    - attack.t1564.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\attrib.exe'
        - OriginalFileName: 'ATTRIB.EXE'
    selection_cli:
        CommandLine|contains: ' +h '
    filter_main_msiexec:
        CommandLine|contains: '\desktop.ini '
    filter_optional_intel:
        ParentImage|endswith: '\cmd.exe'
        CommandLine: '+R +H +S +A \\\*.cui'
        ParentCommandLine: 'C:\\WINDOWS\\system32\\\*.bat'
    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)
    - Msiexec.exe hiding desktop.ini
level: medium

title: Use Icacls to Hide File to Everyone
id: 4ae81040-fc1c-4249-bfa3-938d260214d9
status: test
description: Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files
references:
    - https://app.any.run/tasks/1df999e6-1cb8-45e3-8b61-499d1b7d5a9b/
author: frack113
date: 2022-07-18
modified: 2024-04-29
tags:
    - attack.stealth
    - attack.t1564.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_icacls:
        - OriginalFileName: 'iCACLS.EXE'
        - Image|endswith: '\icacls.exe'
    selection_cmd: # icacls "C:\Users\admin\AppData\Local\37f92fe8-bcf0-4ee0-b8ba-561f797f5696" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        CommandLine|contains|all:
            - '/deny'
            - '*S-1-1-0:'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Hidden Files and Directories
id: d08722cd-3d09-449a-80b4-83ea2d9d4616
status: test
description: Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md
author: 'Pawel Mazur'
date: 2021-09-06
modified: 2025-06-16
tags:
    - attack.stealth
    - attack.t1564.001
logsource:
    product: linux
    service: auditd
detection:
    selection_commands:
        type: 'EXECVE'
        a0:
            - 'mkdir'
            - 'nano'
            - 'touch'
            - 'vi'
            - 'vim'
    selection_arguments:
        - a1|re: '(^|\/)\.[^.\/]'
        - a2|re: '(^|\/)\.[^.\/]'
    condition: all of selection_*
falsepositives:
    - Unknown
level: low