Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

Hidden Window

The configurations for how applications run on macOS and OS X are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock. However, adversaries can abuse this feature and hide their running window [1].

ID: T1143

Tactic: Defense Evasion

Platform:  macOS

Permissions Required:  User

Data Sources:  File monitoring

Version: 1.0

Mitigation

Whitelist programs that are allowed to have this plist tag. All other programs should be considered suspicious.

Detection

Plist files are ASCII text files with a specific format, so they're relatively easy to parse. File monitoring can check for the apple.awt.UIElement or any other suspicious plist tag in plist files and flag them.

References