Suspicious use of scripting parameters or registry edits to hide process windows (e.g., powershell.exe -WindowStyle Hidden, or registry modifications pushing window positions off screen). Defender view: correlation of hidden execution with anomalous process lineage or hVNC-like CreateDesktop API calls.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13 |
| Field | Description |
|---|---|
| HiddenProcessScope | Restrict to processes where hidden execution is unexpected (e.g., PowerShell, cmd, wscript). |
| ParentProcessCorrelation | Correlate hidden execution with suspicious parent processes to reduce false positives. |
Suspicious invocation of GUI utilities or scripts with suppressed or redirected windowing options. Defender view: detection of X11 or Wayland calls to spawn windows that do not appear on active displays, or use of nohup/screen/tmux to mask interactive shells.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | auditd:EXECVE | Execution of GUI-related binaries with suppressed window/display flags |
| Process Metadata (DC0034) | auditd:SYSCALL | Use of fork/exec with DISPLAY unset or redirected |
| Field | Description |
|---|---|
| DisplayScope | Restrict monitoring to interactive GUI contexts rather than server/headless processes. |
Modification of plist files to set apple.awt.UIElement or similar flags hiding app icons and windows, and dscl/command-line activity that suppresses visibility. Defender view: correlation of plist modifications with unexpected hidden user applications.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | macos:unifiedlog | Modification of plist with apple.awt.UIElement set to TRUE |
| Process Creation (DC0032) | macos:unifiedlog | Execution of Java apps or other processes with hidden window attributes |
| Field | Description |
|---|---|
| PlistScope | Restrict detection to application plists where UIElement flag is unexpected. |
| UserContext | Correlate plist modifications with the creating/modifying user to tune results. |