MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1564.003: Hidden Window

Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks.

Adversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.

On macOS, the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock.

Similarly, on Windows there are a variety of features in scripting languages, such as PowerShell, Jscript, and Visual Basic to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden.

In addition, Windows supports the CreateDesktop() API that can create a hidden desktop window with its own corresponding explorer.exe process. All applications running on the hidden desktop window, such as a hidden VNC (hVNC) session, will be invisible to other desktops windows.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

Monitoring of web browser process-start events with the --headless or --disable-gpu arguments in the command line.

Expert Required. The technique is detected only with the combination of «PT Product + Expert»

Detection

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor newly executed processes that may use hidden windows to conceal malicious activity from the plain sight of users. For example, monitor suspicious windows explorer execution – such as an additional explorer.exe holding a handle to an unknown desktop – that may be used for hidden malicious activity via hVNC.

IDDS0022Data source and componentFile: File ModificationDescription

Monitor for changes made to files that may use hidden windows to conceal malicious activity from the plain sight of users. In MacOS, plist files are ASCII text files with a specific format, so they're relatively easy to parse. File monitoring can check for the apple.awt.UIElement or any other suspicious plist tag in plist files and flag them.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments that may use hidden windows to conceal malicious activity from the plain sight of users. In Windows, enable and configure event logging and PowerShell logging to check for the hidden window style.

IDDS0012Data source and componentScript: Script ExecutionDescription

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

Mitigation

IDM1038NameExecution PreventionDescription

Limit or restrict program execution using anti-virus software. On MacOS, allowlist programs that are allowed to have the plist tag. All other programs should be considered suspicious.

IDM1033NameLimit Software InstallationDescription

Restrict the installation of software that may be abused to create hidden desktops, such as hVNC, to user groups that require it.