Detect Hidden Window in Microsoft Sentinel
Adversaries may use hidden windows to conceal malicious activity from users. On Windows, this is achieved through PowerShell's -WindowStyle Hidden flag or by using the ShowWindow API with SW_HIDE. The CreateProcess API's STARTUPINFO structure also allows processes to be created without a visible window. On macOS, the LSUIElement or LSBackgroundOnly Info.plist keys make applications background-only. Malware families using hidden windows include Astaroth, QuietSieve, StrongPity, and LockBit 2.0.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1564 Hide Artifacts
- Sub-technique
- T1564.003 Hidden Window
- Canonical reference
- https://attack.mitre.org/techniques/T1564/003/
KQL Detection Query
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe")
| where ProcessCommandLine has_any ("-WindowStyle Hidden", "-w hidden", "-windowstyle h", "/hh")
or (ProcessCommandLine has_any ("-NonInteractive", "-noni", "-NonI") and ProcessCommandLine has_any ("-WindowStyle", "-w "))
| extend PSHidden = ProcessCommandLine has_any ("-WindowStyle Hidden", "-w hidden", "-windowstyle h")
| extend EncodedCmd = ProcessCommandLine has_any ("-EncodedCommand", "-enc ", "-e ")
| extend DownloadCradle = ProcessCommandLine has_any ("Net.WebClient", "Invoke-WebRequest", "IEX", "DownloadString")
| extend PolicyBypass = ProcessCommandLine has_any ("-ExecutionPolicy Bypass", "-ep bypass")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName,
InitiatingProcessCommandLine, PSHidden, EncodedCmd, DownloadCradle, PolicyBypass
| sort by Timestamp descDetects hidden window execution primarily via PowerShell's -WindowStyle Hidden flag and related parameters. Combines with other suspicious indicators (encoded commands, download cradles, execution policy bypass) to identify malicious hidden script execution. This covers the most common malware dropper and stager patterns.
Data Sources
Required Tables
False Positives & Tuning
- IT automation scripts and scheduled tasks that use -WindowStyle Hidden to run without disrupting the user desktop
- Software update mechanisms that run silent background updates using hidden PowerShell windows
- System monitoring agents that execute PowerShell checks in hidden windows to avoid user interruption
- Remote management tools (PSExec, Ansible WinRM) that execute PowerShell commands in non-interactive hidden sessions
Other platforms for T1564.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell Hidden Window Execution
Expected signal: Sysmon Event ID 1: powershell.exe with -WindowStyle Hidden in command line. Sysmon Event ID 11: file created at Temp path. PowerShell ScriptBlock Log Event ID 4104 with the command content.
- Test 2Hidden Window with Encoded Command
Expected signal: Sysmon Event ID 1: powershell.exe with both -WindowStyle Hidden and -EncodedCommand in command line. PowerShell ScriptBlock Log Event ID 4104 showing decoded content 'whoami'.
- Test 3Hidden Window with Execution Policy Bypass and Download Cradle
Expected signal: Sysmon Event ID 1: powershell.exe with all three flags. Sysmon Event ID 3: network connection attempt to 127.0.0.1:8080. The download will fail (no server) but both process creation and network events fire.
References (4)
Unlock Pro Content
Get the full detection package for T1564.003 including response playbook, investigation guide, and atomic red team tests.