The "Disable Show Hidden Files" analytic identifies modifications to the Windows registry that disable the display of hidden files, which is a tactic often employed by malware to evade detection. This rule works by monitoring specific registry paths tied to Windows file visibility settings using data from the Endpoint.Registry data model, particularly Sysmon EventID 12 and EventID 13. The detection focuses on changes to three key registry values: `Hidden`, `HideFileExt`, and `ShowSuperHidden`. If any of these values indicate that hidden files are concealed, it suggests potential malicious behavior that requires further investigation. The implications of this rule are significant; if an attacker is able to manipulate these settings, they can hide malicious files from users and security tools, complicating incident response efforts and increasing the risk of infection. This detection rule is crucial for maintaining endpoint security and should be implemented alongside proper log ingestion strategies.