Suspicious PowerShell WindowStyle Option

calendar Aug 12, 2024 · attack.defense-evasion attack.t1564.003  ·
Share on: linkedin copy

Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden

Sigma rule (View on GitHub)

 1title: Suspicious PowerShell WindowStyle Option
 2id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
 3status: test
 4description: |
 5    Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.
 6    In some cases, windows that would typically be displayed when an application carries out an operation can be hidden    
 7references:
 8    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md
 9author: frack113, Tim Shelton (fp AWS)
10date: 2021-10-20
11modified: 2023-01-03
12tags:
13    - attack.defense-evasion
14    - attack.t1564.003
15logsource:
16    product: windows
17    category: ps_script
18    definition: 'Requirements: Script Block Logging must be enabled'
19detection:
20    selection:
21        ScriptBlockText|contains|all:
22            - 'powershell'
23            - 'WindowStyle'
24            - 'Hidden'
25    filter:
26        ScriptBlockText|contains|all:
27            - ':\Program Files\Amazon\WorkSpacesConfig\Scripts\'
28            - '$PSScriptRoot\Module\WorkspaceScriptModule\WorkspaceScriptModule'
29    condition: selection and not filter
30falsepositives:
31    - Unknown
32level: medium

References

Related rules

to-top