sigmaDRL-1.1from SigmaHQ/sigma
Suspicious PowerShell WindowStyle Option
Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden
Quality
100
FP risk
—
Forks
0
Views
0
ATT&CK techniques
Rule sourcerules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml
title: Suspicious PowerShell WindowStyle Option
id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
status: test
description: |
Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.
In some cases, windows that would typically be displayed when an application carries out an operation can be hidden
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md
author: frack113, Tim Shelton (fp AWS)
date: 2021-10-20
modified: 2023-01-03
tags:
- attack.defense-evasion
- attack.t1564.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'powershell'
- 'WindowStyle'
- 'Hidden'
filter:
ScriptBlockText|contains|all:
- ':\Program Files\Amazon\WorkSpacesConfig\Scripts\'
- '$PSScriptRoot\Module\WorkspaceScriptModule\WorkspaceScriptModule'
condition: selection and not filter
falsepositives:
- Unknown
level: medium