Detect Hidden Window in Splunk
Adversaries may use hidden windows to conceal malicious activity from users. On Windows, this is achieved through PowerShell's -WindowStyle Hidden flag or by using the ShowWindow API with SW_HIDE. The CreateProcess API's STARTUPINFO structure also allows processes to be created without a visible window. On macOS, the LSUIElement or LSBackgroundOnly Info.plist keys make applications background-only. Malware families using hidden windows include Astaroth, QuietSieve, StrongPity, and LockBit 2.0.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1564 Hide Artifacts
- Sub-technique
- T1564.003 Hidden Window
- Canonical reference
- https://attack.mitre.org/techniques/T1564/003/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\cmd.exe" OR Image="*\\wscript.exe")
| eval PSHidden=if(match(CommandLine, "(-[Ww]indow[Ss]tyle\s+[Hh]idden|-w\s+hidden|-windowstyle\s+h)"), 1, 0)
| eval EncodedCmd=if(match(CommandLine, "(-[Ee]ncodedCommand|-enc\s|-e\s|-ec\s)"), 1, 0)
| eval DownloadCradle=if(match(CommandLine, "(Net\.WebClient|Invoke-WebRequest|DownloadString|IEX)"), 1, 0)
| eval PolicyBypass=if(match(CommandLine, "(-[Ee]xecution[Pp]olicy\s+[Bb]ypass|-ep\s+bypass)"), 1, 0)
| eval RiskScore=PSHidden + EncodedCmd + DownloadCradle + PolicyBypass
| where RiskScore > 0 AND PSHidden=1
| table _time, host, User, Image, CommandLine, ParentImage, PSHidden, EncodedCmd, DownloadCradle, PolicyBypass, RiskScore
| sort - _timeDetects hidden window execution using Sysmon Event ID 1. Requires PSHidden=1 as a baseline plus at least one other suspicious indicator for higher confidence alerting. This reduces false positives from legitimate admin automation while catching malicious multi-indicator combinations.
Data Sources
Required Sourcetypes
False Positives & Tuning
- IT automation scripts using -WindowStyle Hidden for background tasks
- Software update mechanisms using silent hidden PowerShell windows
- Monitoring agents executing PowerShell checks in non-interactive hidden sessions
- Remote management tools using hidden execution
Other platforms for T1564.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell Hidden Window Execution
Expected signal: Sysmon Event ID 1: powershell.exe with -WindowStyle Hidden in command line. Sysmon Event ID 11: file created at Temp path. PowerShell ScriptBlock Log Event ID 4104 with the command content.
- Test 2Hidden Window with Encoded Command
Expected signal: Sysmon Event ID 1: powershell.exe with both -WindowStyle Hidden and -EncodedCommand in command line. PowerShell ScriptBlock Log Event ID 4104 showing decoded content 'whoami'.
- Test 3Hidden Window with Execution Policy Bypass and Download Cradle
Expected signal: Sysmon Event ID 1: powershell.exe with all three flags. Sysmon Event ID 3: network connection attempt to 127.0.0.1:8080. The download will fail (no server) but both process creation and network events fire.
References (4)
Unlock Pro Content
Get the full detection package for T1564.003 including response playbook, investigation guide, and atomic red team tests.