title: Hidden Window (T1564.003)
id: df00tech-t1564-003
status: experimental
description: "Adversaries may use hidden windows to conceal malicious activity from users. On Windows, this is achieved through PowerShell's -WindowStyle Hidden flag or by using the ShowWindow API with SW_HIDE. The CreateProcess API's STARTUPINFO structure also allows processes to be created without a visible window. On macOS, the LSUIElement or LSBackgroundOnly Info.plist keys make applications background-only. Malware families using hidden windows include Astaroth, QuietSieve, StrongPity, and LockBit 2.0."
references:
  - https://attack.mitre.org/techniques/T1564/003/
  - https://df00tech.com/detections/T1564.003
author: df00tech
date: 2026/04/21
tags:
  - attack.t1564.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT automation scripts and scheduled tasks that use -WindowStyle Hidden to run without disrupting the user desktop
  - Software update mechanisms that run silent background updates using hidden PowerShell windows
  - System monitoring agents that execute PowerShell checks in hidden windows to avoid user interruption
  - "Remote management tools (PSExec, Ansible WinRM) that execute PowerShell commands in non-interactive hidden sessions"
level: medium