Skip to content

T1564.003 Hidden Window

Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks.

On Windows, there are a variety of features in scripting languages in Windows, such as PowerShell, Jscript, and Visual Basic to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden. 1

Similarly, on macOS the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application’s icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don’t also want to show up in the Dock.

Adversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.2

Item Value
ID T1564.003
Sub-techniques T1564.001, T1564.002, T1564.003, T1564.004, T1564.005, T1564.006, T1564.007, T1564.008, T1564.009, T1564.010
Tactics TA0005
Platforms Linux, Windows, macOS
Permissions required User
Version 1.1
Created 13 March 2020
Last Modified 15 March 2022

Procedure Examples

ID Name Description
S0331 Agent Tesla Agent Tesla has used ProcessWindowStyle.Hidden to hide windows.21
G0073 APT19 APT19 used -W Hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden. 37
G0007 APT28 APT28 has used the WindowStyle parameter to conceal PowerShell windows.25 26
G0022 APT3 APT3 has been known to use -WindowStyle Hidden to conceal PowerShell windows.30
G0050 APT32 APT32 has used the WindowStyle parameter to conceal PowerShell windows. 35 36
S0373 Astaroth Astaroth loads its module with the XSL script parameter vShow set to zero, which opens the application with a hidden window. 16
S1053 AvosLocker AvosLocker has hidden its console window by using the ShowWindow API function.19
S0360 BONDUPDATER BONDUPDATER uses -windowstyle hidden to conceal a PowerShell window that downloads a payload.24
G0052 CopyKittens CopyKittens has used -w hidden and -windowstyle hidden to conceal PowerShell windows. 33
S0625 Cuba Cuba has executed hidden PowerShell windows.23
G0079 DarkHydrus DarkHydrus has used -WindowStyle Hidden to conceal PowerShell windows. 38
G0009 Deep Panda Deep Panda has used -w hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden. 29
G0047 Gamaredon Group Gamaredon Group has used hidcon to run batch files in a hidden console window.28
G0078 Gorgon Group Gorgon Group has used -W Hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden. 31
S0037 HAMMERTOSS HAMMERTOSS has used -WindowStyle hidden to conceal PowerShell windows.10
G0126 Higaisa Higaisa used a payload that creates a hidden window.39
S0431 HotCroissant HotCroissant has the ability to hide the window for operations performed on a given file.12
S0260 InvisiMole InvisiMole has executed legitimate tools in hidden windows.14
S1020 Kevin Kevin can hide the current window from the targeted user via the ShowWindow API function.9
S0387 KeyBoy KeyBoy uses -w Hidden to conceal a PowerShell window that downloads a payload. 17
G0094 Kimsuky Kimsuky has used an information gathering module that will hide an AV software window from the victim.27
S0437 Kivars Kivars has the ability to conceal its activity through hiding active windows.11
S0250 Koadic Koadic has used the command Powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden to hide its window.4
S0669 KOCTOPUS KOCTOPUS has used -WindowsStyle Hidden to hide the command window.4
G0059 Magic Hound Magic Hound malware has a function to determine whether the C2 server wishes to execute the newly dropped file in a hidden window.32
S0500 MCMD MCMD can modify processes to prevent them from being visible on the desktop.3
S0455 Metamorfo Metamorfo has hidden its GUI using the ShowWindow() WINAPI call.15
S0688 Meteor Meteor can hide its console window upon execution to decrease its visibility to a victim.13
G0133 Nomadic Octopus Nomadic Octopus executed PowerShell in a hidden window.34
S0441 PowerShower PowerShower has added a registry key so future powershell.exe instances are spawned with coordinates for a window position off-screen by default.18
S0262 QuasarRAT QuasarRAT can hide process windows and make web requests invisible to the compromised user. Requests marked as invisible have been sent with user-agent string Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A though QuasarRAT can only be run on Windows systems.5
S0686 QuietSieve QuietSieve has the ability to execute payloads in a hidden window.22
S0692 SILENTTRINITY SILENTTRINITY has the ability to set its window state to hidden.6
S0491 StrongPity StrongPity has the ability to hide the console window for its document search module from the user.7
S0386 Ursnif Ursnif droppers have used COM properties to execute malware in hidden windows.8
S0466 WindTail WindTail can instruct the OS to execute an application without a dock icon or menu.20

Mitigations

ID Mitigation Description
M1038 Execution Prevention Limit or restrict program execution using anti-virus software. On MacOS, allowlist programs that are allowed to have the plist tag. All other programs should be considered suspicious.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Modification
DS0009 Process Process Creation
DS0012 Script Script Execution

References


  1. Wheeler, S. et al.. (2019, May 1). About PowerShell.exe. Retrieved October 11, 2019. 

  2. Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017. 

  3. Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020. 

  4. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. 

  5. CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022. 

  6. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022. 

  7. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020. 

  8. Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019. 

  9. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022. 

  10. FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015. 

  11. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020. 

  12. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020. 

  13. Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022. 

  14. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. 

  15. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020. 

  16. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019. 

  17. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019. 

  18. Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020. 

  19. Hasherezade. (2021, July 23). AvosLocker enters the ransomware scene, asks for partners. Retrieved January 11, 2023. 

  20. Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift’s implant: OSX.WindTail (part 1). Retrieved October 3, 2019. 

  21. Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020. 

  22. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022. 

  23. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021. 

  24. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. 

  25. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018. 

  26. Sherstobitoff, R., Rea, M. (2017, November 7). Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack. Retrieved November 21, 2017. 

  27. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. 

  28. Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022. 

  29. Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014. 

  30. Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016. 

  31. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018. 

  32. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017. 

  33. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017. 

  34. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021. 

  35. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017. 

  36. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. 

  37. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018. 

  38. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018. 

  39. PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021.