Hiding of an Installed Application from Application Wizard

Rule Info

Name
Hiding of an Installed Application from Application Wizard
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the SystemComponent DWORD registry value being set to 1 under an application's Uninstall key, which removes the application from "Programs and Features" and "Add or Remove Programs" visibility. Threat actors use this technique to hide installed applications, from normal administrative review, as part of persistence or defense evasion strategies.
Reference
https://www.linkedin.com/posts/mauricefielenbach_threatintel-dfir-cybersecurity-share-7452413452813242369-HaC_/
Date
2026-06-04 00:00:00
Modified
None
Id
53e0a5b6-c267-449c-8084-f24baedf26f2
Tags
attack.stealth attack.defense-impairment attack.t1112 attack.persistence attack.t1564
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022