attack.t1564.003

Conhost Suspicious Command Execution

Mar 18, 2025 · attack.defense-evasion attack.t1564.003 dist.public ·

Detects use of conhost in "headless" mode. By running conhost.exe in "headless" mode, it means that no visible window will pop up on the victim's machine.

HackTool - Covenant PowerShell Launcher

Aug 12, 2024 · attack.execution attack.defense-evasion attack.t1059.001 attack.t1564.003 ·

Share on:

Detects suspicious command lines used in Covenant luanchers

PUA - AdvancedRun Execution

Aug 12, 2024 · attack.execution attack.defense-evasion attack.privilege-escalation attack.t1564.003 attack.t1134.002 attack.t1059.003 ·

Share on:

Detects the execution of AdvancedRun utility

Suspicious PowerShell WindowStyle Option

Aug 12, 2024 · attack.defense-evasion attack.t1564.003 ·

Share on:

Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden