Common Information
| Type | Value |
|---|---|
| Value |
Hidden Window - T1564.003 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. Adversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.(Citation: Antiquated Mac Malware) On macOS, the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be <code>apple.awt.UIElement</code>, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock. Similarly, on Windows there are a variety of features in scripting languages, such as [PowerShell](https://attack.mitre.org/techniques/T1059/001), Jscript, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005) to make windows hidden. One example of this is <code>powershell.exe -WindowStyle Hidden</code>.(Citation: PowerShell About 2019) In addition, Windows supports the `CreateDesktop()` API that can create a hidden desktop window with its own corresponding <code>explorer.exe</code> process.(Citation: Hidden VNC)(Citation: Anatomy of an hVNC Attack) All applications running on the hidden desktop window, such as a hidden VNC (hVNC) session,(Citation: Hidden VNC) will be invisible to other desktops windows. |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-11-14 | 72 | Weekly Intelligence Report - 15 Nov 2024 | #ransomware | #cybercrime | National Cyber Security Consulting | ||
| Details | Website | 2024-11-08 | 14 | Reveal Lab Write-Up | ||
| Details | Website | 2024-11-05 | 9 | DcRAT (DarkCrystal RAT) Payload Technical Analysis | ||
| Details | Website | 2024-11-05 | 3 | Black Basta PowerShell script to establish a Cobalt Strike beacon | ||
| Details | Website | 2024-10-18 | 44 | Weekly Intelligence Report - 18 Oct 2024 | #ransomware | #cybercrime | National Cyber Security Consulting | ||
| Details | Website | 2024-10-16 | 13 | UAC-0050 Attack Detection: russia-Backed APT Performs Cyber Espionage, Financial Crimes, and Disinformation Operations Against Ukraine - SOC Prime | ||
| Details | Website | 2024-10-10 | 29 | Technical Analysis of a Novel IMEEX Framework | ||
| Details | Website | 2024-10-10 | 28 | Technical Analysis of a Novel IMEEX Framework | ||
| Details | Website | 2024-10-10 | 33 | Malware by the (Bit)Bucket: Uncovering AsyncRAT | ||
| Details | Website | 2024-10-06 | 18 | YUNIT STEALER - CYFIRMA | ||
| Details | Website | 2024-10-03 | 5 | The Accidental Malware Repository: Hunting & Collecting Malware Via Open Directories (Part 1) | ||
| Details | Website | 2024-09-19 | 30 | Unmasking the Danger: Lumma Stealer Malware Exploits Fake CAPTCHA Pages | CloudSEK | ||
| Details | Website | 2024-09-11 | 8 | 2024-09-10 KIMSUKY (North Korean APT) Sample (Sakai @sakaijjan - Terms and Conditions.msc) | ||
| Details | Website | 2024-09-06 | 35 | HackTheBox Sherlock Writeup: APTNightmare | ||
| Details | Website | 2024-09-04 | 71 | AZORult Malware: Technical Analysis - ANY.RUN's Cybersecurity Blog | ||
| Details | Website | 2024-09-03 | 62 | Emansrepo Stealer: Multi-Vector Attack Chains | FortiGuard Labs | ||
| Details | Website | 2024-09-01 | 34 | Interlab 인터랩 | Novel RAT discovered “SuperBear” targeting journalist covering geopolitics of Asia | ||
| Details | Website | 2024-08-29 | 27 | Exploring AsyncRAT and Infostealer Plugin Delivery Through Phishing… | ||
| Details | Website | 2024-08-23 | 94 | PEAKLIGHT: Decoding the Stealthy Memory-Only Malware | Google Cloud Blog | ||
| Details | Website | 2024-08-22 | 82 | Threat Tracking: Analysis of puNK-003’s Lilith RAT ported to AutoIt Script | ||
| Details | Website | 2024-08-21 | 13 | UAC-0020 (Vermin) Activity Detection: A New Phishing Attack Abusing the Topic of Prisoners of War at the Kursk Front and Using FIRMACHAGENT Malware - SOC Prime | ||
| Details | Website | 2024-06-26 | 76 | Threat Analysis Insight: RisePro Information Stealer | ||
| Details | Website | 2024-05-30 | 18 | Decoding Water Sigbin's Latest Obfuscation Tricks | ||
| Details | Website | 2024-05-30 | 19 | Decoding Water Sigbin's Latest Obfuscation Tricks | ||
| Details | Website | 2024-04-10 | 21 | Kimsuky 4 |