Which SIEM platforms have a T1564.003 detection rule?

df00tech provides T1564.003 (Hidden Window) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Hidden Window (T1564.003)?

Detecting Hidden Window requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1564.003 detection?

The T1564.003 detection is rated medium severity with medium confidence.

What are common false positives for T1564.003?

Common false positives for T1564.003 include: IT automation scripts and scheduled tasks that use -WindowStyle Hidden to run without disrupting the user desktop; Software update mechanisms that run silent background updates using hidden PowerShell windows; System monitoring agents that execute PowerShell checks in hidden windows to avoid user interruption.

T1564.003 Elastic Security · Elastic

Detect Hidden Window in Elastic Security

Adversaries may use hidden windows to conceal malicious activity from users. On Windows, this is achieved through PowerShell's -WindowStyle Hidden flag or by using the ShowWindow API with SW_HIDE. The CreateProcess API's STARTUPINFO structure also allows processes to be created without a visible window. On macOS, the LSUIElement or LSBackgroundOnly Info.plist keys make applications background-only. Malware families using hidden windows include Astaroth, QuietSieve, StrongPity, and LockBit 2.0.

MITRE ATT&CK

Tactic: Defense Evasion
Technique: T1564 Hide Artifacts
Sub-technique: T1564.003 Hidden Window
Canonical reference: https://attack.mitre.org/techniques/T1564/003/

Elastic Detection Query

Elastic Security (Elastic)

eql

process where event.type == "start"
  and process.name in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe")
  and (
    process.args : ("-WindowStyle", "-w", "-windowstyle") and process.args : ("Hidden", "hidden", "h")
    or process.command_line : ("*-WindowStyle Hidden*", "*-w hidden*", "*-windowstyle h*", "*/hh*")
    or (process.command_line : ("*-NonInteractive*", "*-noni*", "*-NonI*") and process.command_line : ("*-WindowStyle*", "*-w *"))
  )

high severity high confidence

Detects processes launched with hidden window flags including PowerShell -WindowStyle Hidden and cmd /hh. Correlates with encoded commands, download cradles, and execution policy bypass for risk scoring.

Data Sources

Endpoint (Elastic Agent with Endpoint Security integration)Sysmon via Winlogbeat

Required Tables

logs-endpoint.events.process-*winlogbeat-*

False Positives & Tuning

Legitimate administrative scripts run silently via task scheduler or deployment tools (SCCM, Ansible) that use -WindowStyle Hidden to avoid UI pop-ups
Software installers and update agents (e.g., Windows Update, Chrome updater) that spawn hidden PowerShell processes during patching
Security tooling and EDR agents that use hidden PowerShell for telemetry collection or remediation actions

Download portable Sigma rule (.yml)

Other platforms for T1564.003

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1PowerShell Hidden Window Execution
Expected signal: Sysmon Event ID 1: powershell.exe with -WindowStyle Hidden in command line. Sysmon Event ID 11: file created at Temp path. PowerShell ScriptBlock Log Event ID 4104 with the command content.
Test 2Hidden Window with Encoded Command
Expected signal: Sysmon Event ID 1: powershell.exe with both -WindowStyle Hidden and -EncodedCommand in command line. PowerShell ScriptBlock Log Event ID 4104 showing decoded content 'whoami'.
Test 3Hidden Window with Execution Policy Bypass and Download Cradle
Expected signal: Sysmon Event ID 1: powershell.exe with all three flags. Sysmon Event ID 3: network connection attempt to 127.0.0.1:8080. The download will fail (no server) but both process creation and network events fire.

Last updated: 2026-04-21 Research depth: deep

References (4)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1564.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Hidden Window in Elastic Security

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1564.003

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1564.003

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

Get new detections in your inbox