Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks.
Adversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.[1]
On macOS, the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement
, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock.
Similarly, on Windows there are a variety of features in scripting languages, such as PowerShell, Jscript, and Visual Basic to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden
.[2]
In addition, Windows supports the CreateDesktop()
API that can create a hidden desktop window with its own corresponding explorer.exe
process.[3][4] All applications running on the hidden desktop window, such as a hidden VNC (hVNC) session,[3] will be invisible to other desktops windows.
ID | Name | Description |
---|---|---|
S0331 | Agent Tesla |
Agent Tesla has used |
G0073 | APT19 |
APT19 used |
G0007 | APT28 |
APT28 has used the WindowStyle parameter to conceal PowerShell windows.[7] [8] |
G0022 | APT3 |
APT3 has been known to use |
G0050 | APT32 |
APT32 has used the WindowStyle parameter to conceal PowerShell windows. [10] [11] |
S0373 | Astaroth |
Astaroth loads its module with the XSL script parameter |
S1087 | AsyncRAT |
AsyncRAT can hide the execution of scheduled tasks using |
S1053 | AvosLocker |
AvosLocker has hidden its console window by using the |
S0360 | BONDUPDATER |
BONDUPDATER uses |
G0052 | CopyKittens |
CopyKittens has used |
S0625 | Cuba | |
G0079 | DarkHydrus |
DarkHydrus has used |
G0009 | Deep Panda |
Deep Panda has used |
G0047 | Gamaredon Group |
Gamaredon Group has used |
G0078 | Gorgon Group |
Gorgon Group has used |
S0037 | HAMMERTOSS |
HAMMERTOSS has used |
G0126 | Higaisa | |
S0431 | HotCroissant |
HotCroissant has the ability to hide the window for operations performed on a given file.[24] |
S0260 | InvisiMole |
InvisiMole has executed legitimate tools in hidden windows.[25] |
S1020 | Kevin |
Kevin can hide the current window from the targeted user via the |
S0387 | KeyBoy |
KeyBoy uses |
G0094 | Kimsuky |
Kimsuky has used an information gathering module that will hide an AV software window from the victim.[28] |
S0437 | Kivars |
Kivars has the ability to conceal its activity through hiding active windows.[29] |
S0250 | Koadic |
Koadic has used the command |
S0669 | KOCTOPUS |
KOCTOPUS has used |
G0059 | Magic Hound |
Magic Hound malware has a function to determine whether the C2 server wishes to execute the newly dropped file in a hidden window.[31] |
S0500 | MCMD |
MCMD can modify processes to prevent them from being visible on the desktop.[32] |
S0455 | Metamorfo |
Metamorfo has hidden its GUI using the ShowWindow() WINAPI call.[33] |
S0688 | Meteor |
Meteor can hide its console window upon execution to decrease its visibility to a victim.[34] |
G0133 | Nomadic Octopus |
Nomadic Octopus executed PowerShell in a hidden window.[35] |
S0441 | PowerShower |
PowerShower has added a registry key so future powershell.exe instances are spawned with coordinates for a window position off-screen by default.[36] |
S0262 | QuasarRAT |
QuasarRAT can hide process windows and make web requests invisible to the compromised user. Requests marked as invisible have been sent with user-agent string |
S1076 | QUIETCANARY |
QUIETCANARY can execute processes in a hidden window.[38] |
S0686 | QuietSieve |
QuietSieve has the ability to execute payloads in a hidden window.[39] |
S1089 | SharpDisco |
SharpDisco can hide windows using |
S0692 | SILENTTRINITY |
SILENTTRINITY has the ability to set its window state to hidden.[41] |
S1086 | Snip3 |
Snip3 can execute PowerShell scripts in a hidden window.[42] |
S0491 | StrongPity |
StrongPity has the ability to hide the console window for its document search module from the user.[43] |
G1022 | ToddyCat |
ToddyCat has hidden malicious scripts using |
S0266 | TrickBot |
TrickBot has used a hidden VNC (hVNC) window to monitor the victim and collect information stealthily.[45] |
S0386 | Ursnif |
Ursnif droppers have used COM properties to execute malware in hidden windows.[46] |
S0670 | WarzoneRAT |
WarzoneRAT has the ability of performing remote desktop access via a hVNC window for decreased visibility.[47] |
S0466 | WindTail |
WindTail can instruct the OS to execute an application without a dock icon or menu.[48] |
ID | Mitigation | Description |
---|---|---|
M1038 | Execution Prevention |
Limit or restrict program execution using anti-virus software. On MacOS, allowlist programs that are allowed to have the plist tag. All other programs should be considered suspicious. |
M1033 | Limit Software Installation |
Restrict the installation of software that may be abused to create hidden desktops, such as hVNC, to user groups that require it. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may use hidden windows to conceal malicious activity from the plain sight of users. In Windows, enable and configure event logging and PowerShell logging to check for the hidden window style. |
DS0022 | File | File Modification |
Monitor for changes made to files that may use hidden windows to conceal malicious activity from the plain sight of users. In MacOS, plist files are ASCII text files with a specific format, so they're relatively easy to parse. File monitoring can check for the |
DS0009 | Process | Process Creation |
Monitor newly executed processes that may use hidden windows to conceal malicious activity from the plain sight of users. For example, monitor suspicious windows explorer execution – such as an additional |
DS0012 | Script | Script Execution |
Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. |