Detect Hidden Window in Google Chronicle
Adversaries may use hidden windows to conceal malicious activity from users. On Windows, this is achieved through PowerShell's -WindowStyle Hidden flag or by using the ShowWindow API with SW_HIDE. The CreateProcess API's STARTUPINFO structure also allows processes to be created without a visible window. On macOS, the LSUIElement or LSBackgroundOnly Info.plist keys make applications background-only. Malware families using hidden windows include Astaroth, QuietSieve, StrongPity, and LockBit 2.0.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1564 Hide Artifacts
- Sub-technique
- T1564.003 Hidden Window
- Canonical reference
- https://attack.mitre.org/techniques/T1564/003/
YARA-L Detection Query
rule t1564_003_hidden_window {
meta:
author = "Argus Detection Engineering"
description = "Detects T1564.003 Hidden Window technique via PowerShell or scripting hosts using -WindowStyle Hidden, -w hidden, or /hh flags. Scores additional indicators including encoded commands, download cradles, and execution policy bypass."
mitre_attack_tactic = "Defense Evasion"
mitre_attack_technique = "T1564.003"
severity = "HIGH"
confidence = "HIGH"
reference = "https://attack.mitre.org/techniques/T1564/003/"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
$e.principal.process.file.full_path = /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe)$/
(
$e.target.process.command_line = /(?i)(-[Ww]indow[Ss]tyle\s+[Hh]idden|-w\s+hidden|-windowstyle\s+h)/
or (
$e.target.process.command_line = /(?i)(-NonInteractive|-noni|-NonI)/
and $e.target.process.command_line = /(?i)(-WindowStyle|-w )/
)
or (
$e.principal.process.file.full_path = /(?i)cmd\.exe$/
and $e.target.process.command_line = /(?i)\/hh/
)
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting T1564.003 Hidden Window by matching PowerShell and scripting host process launches containing -WindowStyle Hidden, -w hidden, or /hh command-line arguments within the UDM PROCESS_LAUNCH event stream.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise management platforms (MECM/SCCM, Intune) deploying software via background PowerShell sessions that suppress windows for seamless user experience
- Vulnerability scanners and patch management tools (Qualys, Tenable) that spawn hidden scripting processes during agent-based assessments
- Application self-update mechanisms that leverage hidden PowerShell to download and install patches without interrupting the user
Other platforms for T1564.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell Hidden Window Execution
Expected signal: Sysmon Event ID 1: powershell.exe with -WindowStyle Hidden in command line. Sysmon Event ID 11: file created at Temp path. PowerShell ScriptBlock Log Event ID 4104 with the command content.
- Test 2Hidden Window with Encoded Command
Expected signal: Sysmon Event ID 1: powershell.exe with both -WindowStyle Hidden and -EncodedCommand in command line. PowerShell ScriptBlock Log Event ID 4104 showing decoded content 'whoami'.
- Test 3Hidden Window with Execution Policy Bypass and Download Cradle
Expected signal: Sysmon Event ID 1: powershell.exe with all three flags. Sysmon Event ID 3: network connection attempt to 127.0.0.1:8080. The download will fail (no server) but both process creation and network events fire.
References (4)
Unlock Pro Content
Get the full detection package for T1564.003 including response playbook, investigation guide, and atomic red team tests.