Hide Artifacts: Hidden Window

Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks.

On Windows, there are a variety of features in scripting languages in Windows, such as PowerShell, Jscript, and Visual Basic to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden. [1]

Similarly, on macOS the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock.

Adversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.[2]

ID: T1564.003
Sub-technique of:  T1564
Tactic: Defense Evasion
Platforms: Windows, macOS
Permissions Required: User
Data Sources: File monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Contributors: Travis Smith, Tripwire
Version: 1.0
Created: 13 March 2020
Last Modified: 29 March 2020

Procedure Examples

Name Description
Agent Tesla

Agent Tesla has used ProcessWindowStyle.Hidden to hide windows.[11]

APT19

APT19 used -W Hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden. [20]

APT28

APT28 has used the WindowStyle parameter to conceal PowerShell windows.[16] [17]

APT3

APT3 has been known to use -WindowStyle Hidden to conceal PowerShell windows.[15]

APT32

APT32 has used the WindowStyle parameter to conceal PowerShell windows. [18] [19]

Astaroth

Astaroth loads its module with the XSL script parameter vShow set to zero, which opens the application with a hidden window. [3]

BONDUPDATER

BONDUPDATER uses -windowstyle hidden to conceal a PowerShell window that downloads a payload.[5]

CopyKittens

CopyKittens has used -w hidden and -windowstyle hidden to conceal PowerShell windows. [21]

DarkHydrus

DarkHydrus has used -WindowStyle Hidden to conceal PowerShell windows. [22]

Deep Panda

Deep Panda has used -w hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden. [23]

Gorgon Group

Gorgon Group has used -W Hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden. [24]

HAMMERTOSS

HAMMERTOSS has used -WindowStyle hidden to conceal PowerShell windows.[6]

HotCroissant

HotCroissant has the ability to hide the window for operations performed on a given file.[8]

KeyBoy

KeyBoy uses -w Hidden to conceal a PowerShell window that downloads a payload. [4]

Kivars

Kivars has the ability to conceal its activity through hiding active windows.[9]

Magic Hound

Magic Hound malware has a function to determine whether the C2 server wishes to execute the newly dropped file in a hidden window.[14]

Metamorfo

Metamorfo has hidden its GUI using the ShowWindow() WINAPI call.[12]

PowerShower

PowerShower has added a registry key so future powershell.exe instances are spawned with coordinates for a window position off-screen by default.[10]

Ursnif

Ursnif droppers have used COM properties to execute malware in hidden windows.[7]

WindTail

WindTail can instruct the OS to execute an application without a dock icon or menu.[13]

Mitigations

Mitigation Description
Execution Prevention

Limit or restrict program execution using anti-virus software. On MacOS, allowlist programs that are allowed to have the plist tag. All other programs should be considered suspicious.

Detection

Monitor processes and command-line arguments for actions indicative of hidden windows. In Windows, enable and configure event logging and PowerShell logging to check for the hidden window style. In MacOS, plist files are ASCII text files with a specific format, so they're relatively easy to parse. File monitoring can check for the apple.awt.UIElement or any other suspicious plist tag in plist files and flag them.

References