Home/ATT&CK Technique/Hidden Window
ATT&CK Technique

Hidden Window

T1564.003 · stealth

Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks.

Adversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system. On macOS, the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock.

A common use for this is when applications run in the system tray, but don't also want to show up in the Dock. Similarly, on Windows there are a variety of features in scripting languages, such as PowerShell, Jscript, and Visual Basic to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden.

The Windows Registry can also be edited to hide application windows from the current user. For example, by setting the WindowPosition subkey in the HKEY_CURRENT_USER\Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_PowerShell.exe Registry key to a maximum value, PowerShell windows will open off screen and be hidden. In addition, Windows supports the CreateDesktop() API that can create a hidden desktop window with its own corresponding explorer.exe process.

All applications running on the hidden desktop window, such as a hidden VNC (hVNC) session, will be invisible to other desktops windows. Adversaries may also leverage cmd.exe as a parent process, and then utilize a LOLBin, such as DeviceCredentialDeployment.exe, to hide windows.

LinuxmacOSWindows

Actors Using This

14
chinaAoqin Dragon
chinaAPT17
russiaAPT28
chinaAPT3
private_mercenaryBahamut
indiaBitter
chinaBlackTech
russiaCloud Atlas
chinaDaggerfly
lebanonDark Caracal
chinaDark Pink
south_koreaDarkhotel
indiaDoNot Team
chinaEarth Lusca

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
resource-development same
T1584.008 · Network Devices ×4.08
initial-access same
T1456 · Drive-By Compromise ×6.80
discovery same
T1426 · System Information Discovery ×6.80T1422 · System Network Configuration Discovery ×5.29
collection same
T1417 · Input Capture ×5.95T1409 · Stored Application Data ×4.33T1430.001 · Remote Device Management Services ×4.33T1429 · Audio Capture ×3.66T1025 · Data from Removable Media ×3.40
command-and-control same
T1437 · Application Layer Protocol ×6.80T1437.001 · Web Protocols ×6.80T1102.001 · Dead Drop Resolver ×4.53
other same
T1221 · Template Injection ×5.83T1564.001 · Hidden Files and Directories ×4.53T1480.001 · Environmental Keying ×3.71

Atomic Tests

3
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
powershellwindowsHidden Window
Launch PowerShell with the "-WindowStyle Hidden" argument to conceal PowerShell windows by setting the WindowStyle parameter to hidden. Upon execution a hidden PowerShell window will launch calc.exe 
Start-Process #{powershell_command}
command_promptwindowsHeadless Browser Accessing Mockbin
The following Atomic Red Team test leverages the Chrome headless browser to access a mockbin site. Create your own Mockbin.org site and replace the BIN in the inputs. The default Mockbin ID forwards to google.com and you may view the details here https://mockbin.org/bin/f6b9a876-a826-4ac0-83b8-639d6ad516ec/view. Reference: https://cert.gov.ua/article/5702579 
start "" #{browser} --headless --disable-gpu https://mockbin.org/bin/#{bin_id}
powershellelevatedwindowsHidden Window-Conhost Execution
Launch conhost.exe in "headless" mode, it means that no visible window will pop up on the victim's machine. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity. conhost.exe can be used as proxy the execution of arbitrary commands 
conhost.exe --headless calc.exe

Mitigations

2
MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.
M1033Limit Software Installation

Prevent users or groups from installing unauthorized or unapproved software to reduce the risk of introducing malicious or vulnerable applications. This can be achieved through allowlists, software restriction policies, endpoint management tools, and least privilege access principles.

Application Whitelisting
  • Implement Microsoft AppLocker or Windows Defender Application Control (WDAC) to create and enforce allowlists for approved software.
  • Whitelist applications based on file hash, path, or digital signatures. Restrict User Permissions.
  • Remove local administrator rights for all non-IT users.
  • Use Role-Based Access Control (RBAC) to restrict installation permissions to privileged accounts only. Software Restriction Policies (SRP)
  • Use GPO to configure SRP to deny execution of binaries from directories such as %AppData%, %Temp%, and external drives.
  • Restrict specific file types (.exe, .bat, .msi, .js, .vbs) to trusted directories only. Endpoint Management Solutions.
  • Deploy tools like Microsoft Intune, SCCM, or Jamf for centralized software management.
  • Maintain a list of approved software, versions, and updates across the enterprise. Monitor Software Installation Events.
  • Enable logging of software installation events and monitor Windows Event ID 4688 and Event ID 11707 for software installs.
  • Use SIEM or EDR tools to alert on attempts to install unapproved software. Implement Software Inventory Management.
  • Use tools like OSQuery or Wazuh to scan for unauthorized software on endpoints and servers.
  • Conduct regular audits to detect and remove unapproved software.
Tools for Implementation Application Whitelisting
  • Microsoft AppLocker.
Windows Defender Application Control (WDAC) Endpoint Management
  • Microsoft Intune.
  • SCCM (System Center Configuration Manager)
  • Jamf Pro (macOS)
Puppet or Ansible for automation Software Restriction Policies
  • Group Policy Object (GPO)
Microsoft Software Restriction Policies (SRP) Monitoring and Logging
  • Splunk.
  • OSQuery.
  • Wazuh (open-source SIEM and XDR)
EDRs Inventory Management and Auditing
  • OSQuery.
  • Wazuh.
M1038Execution Prevention

Prevent the execution of unauthorized or malicious code on systems by implementing application control, script blocking, and other execution prevention mechanisms. This ensures that only trusted and authorized code is executed, reducing the risk of malware and unauthorized actions.

Application Control
  • Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution.
  • Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., `New-AppLockerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLocker.
xml"`) Script Blocking
  • Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources.
  • Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g.
, Set-ExecutionPolicy AllSigned) Executable Blocking
  • Use Case: Prevent execution of binaries from suspicious locations, such as %TEMP% or %APPDATA% directories.
  • Implementation: Block execution of .exe, .bat, or .ps1 files from user-writable directories.
Dynamic Analysis Prevention
  • Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time.
  • Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution.

Detection Coverage

1/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 8
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

Comply & Defend

NIST 800-53CM-07, SI-07, SI-10
D3FEND12 defensive techniques
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin