Common Information
| Type | Value |
|---|---|
| Value |
Hidden Window - T1564.003 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. Adversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.(Citation: Antiquated Mac Malware) On macOS, the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be <code>apple.awt.UIElement</code>, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock. Similarly, on Windows there are a variety of features in scripting languages, such as [PowerShell](https://attack.mitre.org/techniques/T1059/001), Jscript, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005) to make windows hidden. One example of this is <code>powershell.exe -WindowStyle Hidden</code>.(Citation: PowerShell About 2019) In addition, Windows supports the `CreateDesktop()` API that can create a hidden desktop window with its own corresponding <code>explorer.exe</code> process.(Citation: Hidden VNC)(Citation: Anatomy of an hVNC Attack) All applications running on the hidden desktop window, such as a hidden VNC (hVNC) session,(Citation: Hidden VNC) will be invisible to other desktops windows. |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2021-07-14 | 7 | Investigating a Suspicious Service - MDSec | ||
| Details | Website | 2021-07-14 | 2 | XLS Entanglement - BC Security | ||
| Details | Website | 2021-05-25 | 4 | Cobalt Strikes Again: An Analysis of Obfuscated Malware | ||
| Details | Website | 2021-04-30 | 6 | PortDoor: New Chinese APT Backdoor Attack Targets Russian Defense Sector | ||
| Details | Website | 2021-03-03 | 28 | Detecting HAFNIUM Exchange Server Zero-Day Activity in Splunk | ||
| Details | Website | 2021-02-17 | 29 | [RE020] ElephantRAT (Kunming version): our latest discovered RAT of Panda and the similarities with recently Smanager RAT | ||
| Details | Website | 2021-01-01 | 12 | MassLogger - Frankenstein's Creation | ||
| Details | Website | 2020-10-16 | 69 | DNS Hijacking Attacks on Home Routers in Brazil - CUJO AI | ||
| Details | Website | 2020-09-02 | 63 | KryptoCibule: The multitasking multicurrency cryptostealer | WeLiveSecurity | ||
| Details | Website | 2020-06-18 | 76 | Digging up InvisiMole’s hidden arsenal | WeLiveSecurity | ||
| Details | Website | 2020-05-27 | 9 | analyses/RemcosDocDropper.MD at master · 1d8/analyses | ||
| Details | Website | 2020-05-07 | 304 | COVID-19 - Malware Makes Hay During a Pandemic | McAfee Blog | ||
| Details | Website | 2020-02-13 | 35 | New Cyber Espionage Campaigns Targeting Palestinians - Part 1: The Spark Campaign | ||
| Details | Website | 2020-02-07 | 37 | Emotet Technical Analysis - Part 2 PowerShell Unveiled | ||
| Details | Website | 2020-02-06 | 24 | DNS tunneling series, part 3: The siren song of RogueRobin | ||
| Details | Website | 2020-01-31 | 37 | Winnti Group targeting universities in Hong Kong | WeLiveSecurity | ||
| Details | Website | 2020-01-29 | 54 | Emotet Technical Analysis - Part 1 Reveal the Evil Code | ||
| Details | Website | 2020-01-20 | 15 | RoboThiefClient - A Telegram session stealer | ||
| Details | Website | 2019-12-17 | 41 | Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia | ||
| Details | Website | 2019-10-07 | 134 | China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations | ||
| Details | Website | 2019-08-14 | 252 | In the Balkans, businesses are under fire from a double‑barreled weapon | WeLiveSecurity | ||
| Details | Website | 2019-04-17 | 29 | macOS Bundlore: Mac Virus Bypassing macOS Security Features | ||
| Details | Website | 2019-03-05 | 5 | Emotet 101, stage 3: The Emotet executable | ||
| Details | Website | 2018-11-16 | 22 | Analyzing OilRig's Ops Tempo from Testing to Weaponization to Delivery | ||
| Details | Website | 2018-06-22 | 14 | Tick Group Weaponized Secure USB Drives to Target Air-Gapped Critical Systems |