ATT&CK coverage › Technique

Hide Artifacts: Hidden Window `T1564.003`

Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks.

Events covered

3 catalog events are tagged with this technique by at least one rule.

Provider	Event ID	Title
Sysmon	1	Process creation
Security-Auditing	4688	A new process has been created.
PowerShell	4104	Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 8 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (4 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Field	Rules	How	Sample values
`CommandLine`	7	`match` 7	`--headless`, `\Contacts\`, `-sta` , `:\Perflogs\`, `http`
`Image`	4	`ends_with` 4, `match` 1, `starts_with` 1	`\chrome.exe`, `\opera.exe`, `\vivaldi.exe`, `\cmd.exe`, `C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge`
`OriginalFileName`	3	`eq` 3	`Cmd.Exe`, `CONHOST.EXE`, `AdvancedRun.exe`
`ScriptBlockText`	1	`match` 1	`:\Program Files\Amazon\WorkSpacesConfig\Scripts\`, `$PSScriptRoot\Module\WorkspaceScriptModule\WorkspaceScriptModule`, `WindowStyle`

Top indicator values (86 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

Field	Kind	Value	Rules (here)	Corpus reach
`CommandLine`	`match`	`--headless`	4	5
`Image`	`ends_with`	`\msedge.exe`	2	22
`Image`	`ends_with`	`\vivaldi.exe`	2	19
`Image`	`ends_with`	`\brave.exe`	2	20
`Image`	`ends_with`	`\chrome.exe`	2	11
`Image`	`ends_with`	`\opera.exe`	2	21
`CommandLine`	`match`	`start/b`	1
`CommandLine`	`match`	`.ps1`	1	3
`CommandLine`	`match`	`\Temporary Internet\`	1
`CommandLine`	`match`	`.vbs`	1	5
`CommandLine`	`match`	`\inetpub\`	1
`CommandLine`	`match`	`\Contacts\`	1	6
`CommandLine`	`match`	`/min"`	1
`CommandLine`	`match`	`/min`	1
`CommandLine`	`match`	`.vbe`	1	4
`CommandLine`	`match`	`-noni`	1
`CommandLine`	`match`	`.scr`	1	5
`CommandLine`	`match`	`:\Perflogs\`	1	4
`CommandLine`	`match`	`\Favorites\`	1	6
`CommandLine`	`match`	`\AppData\Roaming\`	1	10

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 8 rules

Browser Execution In Headless Mode severity low, 2 events, 6 indicators, 0 exclusions
Cmd Launched with Hidden Start Flags to Suspicious Targets severity medium, 1 event, 40 indicators, 0 exclusions
File Download with Headless Browser severity high, 2 events, 20 indicators, 0 exclusions
HackTool - Covenant PowerShell Launcher severity high, 2 events, 10 indicators, 0 exclusions
Potential Data Stealing Via Chromium Headless Debugging severity high, 2 events, 3 indicators, 0 exclusions
Powershell Executed From Headless ConHost Process severity medium, 1 event, 4 indicators, 0 exclusions
PUA - AdvancedRun Execution severity medium, 1 event, 6 indicators, 0 exclusions
Suspicious PowerShell WindowStyle Option severity medium, 1 event, 5 indicators, 0 exclusions