Techniques
Sample rules
Reg exe used to hide files directories via registry keys
- source: splunk
- technicques:
- T1564.001
Description
The search looks for command-line arguments used to hide a file or directory using the reg add command.
Detection logic
| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = reg.exe Processes.process="*add*" Processes.process="*Hidden*" Processes.process="*REG_DWORD*" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
|`security_content_ctime(lastTime)`
| regex process = "(/d\s+2)"
| `reg_exe_used_to_hide_files_directories_via_registry_keys_filter`