T1564.003 Hidden Window Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe")
| where ProcessCommandLine has_any ("-WindowStyle Hidden", "-w hidden", "-windowstyle h", "/hh")
   or (ProcessCommandLine has_any ("-NonInteractive", "-noni", "-NonI") and ProcessCommandLine has_any ("-WindowStyle", "-w "))
| extend PSHidden = ProcessCommandLine has_any ("-WindowStyle Hidden", "-w hidden", "-windowstyle h")
| extend EncodedCmd = ProcessCommandLine has_any ("-EncodedCommand", "-enc ", "-e ")
| extend DownloadCradle = ProcessCommandLine has_any ("Net.WebClient", "Invoke-WebRequest", "IEX", "DownloadString")
| extend PolicyBypass = ProcessCommandLine has_any ("-ExecutionPolicy Bypass", "-ep bypass")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName,
         InitiatingProcessCommandLine, PSHidden, EncodedCmd, DownloadCradle, PolicyBypass
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

IT automation scripts and scheduled tasks that use -WindowStyle Hidden to run without disrupting the user desktop
Software update mechanisms that run silent background updates using hidden PowerShell windows
System monitoring agents that execute PowerShell checks in hidden windows to avoid user interruption
Remote management tools (PSExec, Ansible WinRM) that execute PowerShell commands in non-interactive hidden sessions

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\cmd.exe" OR Image="*\\wscript.exe")
| eval PSHidden=if(match(CommandLine, "(-[Ww]indow[Ss]tyle\s+[Hh]idden|-w\s+hidden|-windowstyle\s+h)"), 1, 0)
| eval EncodedCmd=if(match(CommandLine, "(-[Ee]ncodedCommand|-enc\s|-e\s|-ec\s)"), 1, 0)
| eval DownloadCradle=if(match(CommandLine, "(Net\.WebClient|Invoke-WebRequest|DownloadString|IEX)"), 1, 0)
| eval PolicyBypass=if(match(CommandLine, "(-[Ee]xecution[Pp]olicy\s+[Bb]ypass|-ep\s+bypass)"), 1, 0)
| eval RiskScore=PSHidden + EncodedCmd + DownloadCradle + PolicyBypass
| where RiskScore > 0 AND PSHidden=1
| table _time, host, User, Image, CommandLine, ParentImage, PSHidden, EncodedCmd, DownloadCradle, PolicyBypass, RiskScore
| sort - _time

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT automation scripts using -WindowStyle Hidden for background tasks
Software update mechanisms using silent hidden PowerShell windows
Monitoring agents executing PowerShell checks in non-interactive hidden sessions
Remote management tools using hidden execution

Elastic Security (EQL)

eql

process where event.type == "start"
  and process.name in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe")
  and (
    process.args : ("-WindowStyle", "-w", "-windowstyle") and process.args : ("Hidden", "hidden", "h")
    or process.command_line : ("*-WindowStyle Hidden*", "*-w hidden*", "*-windowstyle h*", "*/hh*")
    or (process.command_line : ("*-NonInteractive*", "*-noni*", "*-NonI*") and process.command_line : ("*-WindowStyle*", "*-w *"))
  )

high severity high confidence

Data Sources

Endpoint (Elastic Agent with Endpoint Security integration) Sysmon via Winlogbeat

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

Legitimate administrative scripts run silently via task scheduler or deployment tools (SCCM, Ansible) that use -WindowStyle Hidden to avoid UI pop-ups
Software installers and update agents (e.g., Windows Update, Chrome updater) that spawn hidden PowerShell processes during patching
Security tooling and EDR agents that use hidden PowerShell for telemetry collection or remediation actions

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process,
  CASE WHEN LOWER("Command") LIKE '%-windowstyle hidden%'
            OR LOWER("Command") LIKE '%-w hidden%'
            OR LOWER("Command") LIKE '%-windowstyle h%'
            OR LOWER("Command") LIKE '%/hh%' THEN 1 ELSE 0 END AS ps_hidden,
  CASE WHEN LOWER("Command") LIKE '%-encodedcommand%'
            OR LOWER("Command") LIKE '%-enc %'
            OR LOWER("Command") LIKE '%-e %'
            OR LOWER("Command") LIKE '%-ec %' THEN 1 ELSE 0 END AS encoded_cmd,
  CASE WHEN LOWER("Command") LIKE '%net.webclient%'
            OR LOWER("Command") LIKE '%invoke-webrequest%'
            OR LOWER("Command") LIKE '%downloadstring%'
            OR LOWER("Command") LIKE '%iex%' THEN 1 ELSE 0 END AS download_cradle,
  CASE WHEN LOWER("Command") LIKE '%-executionpolicy bypass%'
            OR LOWER("Command") LIKE '%-ep bypass%' THEN 1 ELSE 0 END AS policy_bypass
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND QIDNAME(qid) IN ('Process Create', 'A new process has been created')
  AND ("Process Name" ILIKE '%powershell.exe' OR "Process Name" ILIKE '%pwsh.exe'
       OR "Process Name" ILIKE '%cmd.exe' OR "Process Name" ILIKE '%wscript.exe'
       OR "Process Name" ILIKE '%cscript.exe')
  AND (
    LOWER("Command") LIKE '%-windowstyle hidden%'
    OR LOWER("Command") LIKE '%-w hidden%'
    OR LOWER("Command") LIKE '%-windowstyle h%'
    OR (LOWER("Command") LIKE '%/hh%' AND "Process Name" ILIKE '%cmd.exe')
    OR (LOWER("Command") LIKE '%-noninteractive%' AND LOWER("Command") LIKE '%-windowstyle%')
  )
  AND starttime > NOW() - 1 DAYS
ORDER BY starttime DESC
LAST 86400 SECONDS

high severity high confidence

Data Sources

Microsoft Windows Security Event Log (EventID 4688 with command line auditing) Sysmon EventID 1 via QRadar DSM

Required Tables

events

False Positives

IT automation tools such as SCCM client actions or Group Policy scripts that silently execute PowerShell with hidden windows
Antivirus or EDR products performing background remediation tasks using hidden PowerShell sessions
DevOps pipeline agents (Jenkins, GitLab Runner, Azure DevOps) running build scripts non-interactively

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*
| where _raw matches /EventCode=1|EventID=4688/
| parse regex field=_raw "(?:CommandLine|ProcessCommandLine|CommandLine)\s*=\s*\"(?<command_line>[^\"]+)\"" nodrop
| parse regex field=_raw "(?:Image|NewProcessName)\s*=\s*\"(?<process_image>[^\"]+)\"" nodrop
| parse regex field=_raw "(?:ParentImage|ParentProcessName)\s*=\s*\"(?<parent_image>[^\"]+)\"" nodrop
| parse regex field=_raw "(?:User|SubjectUserName)\s*=\s*\"(?<username>[^\"]+)\"" nodrop
| parse regex field=_raw "(?:Computer|ComputerName)\s*=\s*\"(?<hostname>[^\"]+)\"" nodrop
| where (
    process_image matches /(?i)(powershell|pwsh|cmd|wscript|cscript)\.exe$/
  )
| where (
    command_line matches /(?i)(-[Ww]indow[Ss]tyle\s+[Hh]idden|-w\s+hidden|-windowstyle\s+h)/
    or command_line matches /(?i)\/hh/
    or (command_line matches /(?i)(-NonInteractive|-noni|-NonI)/ and command_line matches /(?i)(-WindowStyle|-w )/)
  )
| eval ps_hidden = if(command_line matches /(?i)(-WindowStyle Hidden|-w hidden|-windowstyle h)/, 1, 0)
| eval encoded_cmd = if(command_line matches /(?i)(-EncodedCommand|-enc |-e |-ec )/, 1, 0)
| eval download_cradle = if(command_line matches /(?i)(Net\.WebClient|Invoke-WebRequest|DownloadString|IEX)/, 1, 0)
| eval policy_bypass = if(command_line matches /(?i)(-ExecutionPolicy Bypass|-ep bypass)/, 1, 0)
| eval risk_score = ps_hidden + encoded_cmd + download_cradle + policy_bypass
| where ps_hidden = 1
| fields _time, hostname, username, process_image, command_line, parent_image, ps_hidden, encoded_cmd, download_cradle, policy_bypass, risk_score
| sort by _time desc

high severity high confidence

Data Sources

Sysmon EventID 1 via Sumo Logic Installed Collector Windows Security EventID 4688 with process command line auditing enabled

Required Tables

Windows Sysmon logs Windows Security Event Logs

False Positives

Scheduled tasks running PowerShell maintenance scripts silently (e.g., disk cleanup, Windows Defender updates, certificate renewal)
Software deployment systems (PDQ Deploy, Chocolatey, Ninite) using hidden PowerShell to install applications without desktop prompts
Monitoring agents or backup clients invoking hidden PowerShell for health checks or snapshot operations

Google Chronicle / SecOps

yaral

rule t1564_003_hidden_window {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1564.003 Hidden Window technique via PowerShell or scripting hosts using -WindowStyle Hidden, -w hidden, or /hh flags. Scores additional indicators including encoded commands, download cradles, and execution policy bypass."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1564.003"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1564/003/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe)$/
    (
      $e.target.process.command_line = /(?i)(-[Ww]indow[Ss]tyle\s+[Hh]idden|-w\s+hidden|-windowstyle\s+h)/
      or (
        $e.target.process.command_line = /(?i)(-NonInteractive|-noni|-NonI)/
        and $e.target.process.command_line = /(?i)(-WindowStyle|-w )/
      )
      or (
        $e.principal.process.file.full_path = /(?i)cmd\.exe$/
        and $e.target.process.command_line = /(?i)\/hh/
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM via Windows Event Forwarding Chronicle Forwarder with Sysmon EventID 1 ingestion Chronicle Windows Sensor

Required Tables

UDM events (PROCESS_LAUNCH entity type)

False Positives

Enterprise management platforms (MECM/SCCM, Intune) deploying software via background PowerShell sessions that suppress windows for seamless user experience
Vulnerability scanners and patch management tools (Qualys, Tenable) that spawn hidden scripting processes during agent-based assessments
Application self-update mechanisms that leverage hidden PowerShell to download and install patches without interrupting the user

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe)$/
| CommandLine = /(?i)(-[Ww]indow[Ss]tyle\s+[Hh]idden|-w\s+hidden|-windowstyle\s+h|\/hh)/
  OR (CommandLine = /(?i)(-NonInteractive|-noni|-NonI)/ AND CommandLine = /(?i)(-WindowStyle|-w )/)
| PSHidden := if(CommandLine = /(?i)(-WindowStyle Hidden|-w hidden|-windowstyle h)/, 1, 0)
| EncodedCmd := if(CommandLine = /(?i)(-EncodedCommand|-enc |-e |-ec )/, 1, 0)
| DownloadCradle := if(CommandLine = /(?i)(Net\.WebClient|Invoke-WebRequest|DownloadString|IEX)/, 1, 0)
| PolicyBypass := if(CommandLine = /(?i)(-ExecutionPolicy Bypass|-ep bypass)/, 1, 0)
| RiskScore := PSHidden + EncodedCmd + DownloadCradle + PolicyBypass
| where PSHidden = 1
| select([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, PSHidden, EncodedCmd, DownloadCradle, PolicyBypass, RiskScore])
| sort(field=@timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Sensor (ProcessRollup2 events) Falcon Data Replicator (FDR) pipeline to LogScale

Required Tables

ProcessRollup2 Falcon event stream

False Positives

CrowdStrike RTR (Real Time Response) scripts run by analysts or automated playbooks that use hidden PowerShell sessions for remediation
Windows logon scripts and Group Policy Preferences executing PowerShell silently at user or machine logon
Third-party endpoint management agents (Tanium, BigFix) using hidden PowerShell for inventory collection or patch deployment

Hidden Window

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections