Detect Hidden Window in CrowdStrike LogScale
Adversaries may use hidden windows to conceal malicious activity from users. On Windows, this is achieved through PowerShell's -WindowStyle Hidden flag or by using the ShowWindow API with SW_HIDE. The CreateProcess API's STARTUPINFO structure also allows processes to be created without a visible window. On macOS, the LSUIElement or LSBackgroundOnly Info.plist keys make applications background-only. Malware families using hidden windows include Astaroth, QuietSieve, StrongPity, and LockBit 2.0.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1564 Hide Artifacts
- Sub-technique
- T1564.003 Hidden Window
- Canonical reference
- https://attack.mitre.org/techniques/T1564/003/
LogScale Detection Query
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe)$/
| CommandLine = /(?i)(-[Ww]indow[Ss]tyle\s+[Hh]idden|-w\s+hidden|-windowstyle\s+h|\/hh)/
OR (CommandLine = /(?i)(-NonInteractive|-noni|-NonI)/ AND CommandLine = /(?i)(-WindowStyle|-w )/)
| PSHidden := if(CommandLine = /(?i)(-WindowStyle Hidden|-w hidden|-windowstyle h)/, 1, 0)
| EncodedCmd := if(CommandLine = /(?i)(-EncodedCommand|-enc |-e |-ec )/, 1, 0)
| DownloadCradle := if(CommandLine = /(?i)(Net\.WebClient|Invoke-WebRequest|DownloadString|IEX)/, 1, 0)
| PolicyBypass := if(CommandLine = /(?i)(-ExecutionPolicy Bypass|-ep bypass)/, 1, 0)
| RiskScore := PSHidden + EncodedCmd + DownloadCradle + PolicyBypass
| where PSHidden = 1
| select([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, PSHidden, EncodedCmd, DownloadCradle, PolicyBypass, RiskScore])
| sort(field=@timestamp, order=desc)CrowdStrike LogScale query using ProcessRollup2 events to detect T1564.003 Hidden Window. Identifies PowerShell and scripting host processes spawned with hidden window flags and enriches matches with a composite risk score for encoded commands, download cradles, and execution policy bypass.
Data Sources
Required Tables
False Positives & Tuning
- CrowdStrike RTR (Real Time Response) scripts run by analysts or automated playbooks that use hidden PowerShell sessions for remediation
- Windows logon scripts and Group Policy Preferences executing PowerShell silently at user or machine logon
- Third-party endpoint management agents (Tanium, BigFix) using hidden PowerShell for inventory collection or patch deployment
Other platforms for T1564.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell Hidden Window Execution
Expected signal: Sysmon Event ID 1: powershell.exe with -WindowStyle Hidden in command line. Sysmon Event ID 11: file created at Temp path. PowerShell ScriptBlock Log Event ID 4104 with the command content.
- Test 2Hidden Window with Encoded Command
Expected signal: Sysmon Event ID 1: powershell.exe with both -WindowStyle Hidden and -EncodedCommand in command line. PowerShell ScriptBlock Log Event ID 4104 showing decoded content 'whoami'.
- Test 3Hidden Window with Execution Policy Bypass and Download Cradle
Expected signal: Sysmon Event ID 1: powershell.exe with all three flags. Sysmon Event ID 3: network connection attempt to 127.0.0.1:8080. The download will fail (no server) but both process creation and network events fire.
References (4)
Unlock Pro Content
Get the full detection package for T1564.003 including response playbook, investigation guide, and atomic red team tests.