T1564.003 Hidden Window Mappings

Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks.

On Windows, there are a variety of features in scripting languages in Windows, such as PowerShell, Jscript, and Visual Basic to make windows hidden. One example of this is <code>powershell.exe -WindowStyle Hidden</code>. (Citation: PowerShell About 2019)

Similarly, on macOS the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be <code>apple.awt.UIElement</code>, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock.

Adversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.(Citation: Antiquated Mac Malware)



Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
CM-7 Least Functionality Protects T1564.003 Hidden Window
SI-10 Information Input Validation Protects T1564.003 Hidden Window
SI-7 Software, Firmware, and Information Integrity Protects T1564.003 Hidden Window
alerts_for_windows_machines Alerts for Windows Machines technique_scores T1564.003 Hidden Window