Suspicious PowerShell WindowStyle Option

Apr 28, 2026 · attack.stealth attack.t1564.003 ·

Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden

Sigma rule (View on GitHub)

 1title: Suspicious PowerShell WindowStyle Option
 2id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
 3status: test
 4description: |
 5    Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.
 6    In some cases, windows that would typically be displayed when an application carries out an operation can be hidden    
 7references:
 8    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md
 9author: frack113, Tim Shelton (fp AWS)
10date: 2021-10-20
11modified: 2023-01-03
12tags:
13    - attack.stealth
14    - attack.t1564.003
15logsource:
16    product: windows
17    category: ps_script
18    definition: 'Requirements: Script Block Logging must be enabled'
19detection:
20    selection:
21        ScriptBlockText|contains|all:
22            - 'powershell'
23            - 'WindowStyle'
24            - 'Hidden'
25    filter:
26        ScriptBlockText|contains|all:
27            - ':\Program Files\Amazon\WorkSpacesConfig\Scripts\'
28            - '$PSScriptRoot\Module\WorkspaceScriptModule\WorkspaceScriptModule'
29    condition: selection and not filter
30falsepositives:
31    - Unknown
32level: medium

References

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md

Read More

Suspicious PowerShell WindowStyle Option

Sigma rule (View on GitHub)

References

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md

Related rules