rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml

title: Suspicious PowerShell WindowStyle Option
id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
status: test
description: |
    Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.
    In some cases, windows that would typically be displayed when an application carries out an operation can be hidden
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md
author: frack113, Tim Shelton (fp AWS)
date: 2021-10-20
modified: 2023-01-03
tags:
    - attack.defense-evasion
    - attack.t1564.003
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'powershell'
            - 'WindowStyle'
            - 'Hidden'
    filter:
        ScriptBlockText|contains|all:
            - ':\Program Files\Amazon\WorkSpacesConfig\Scripts\'
            - '$PSScriptRoot\Module\WorkspaceScriptModule\WorkspaceScriptModule'
    condition: selection and not filter
falsepositives:
    - Unknown
level: medium
$frack113$ add powershell_suspicious_windowstyle 2021-10-20 13:57:24 +02:00			`title: Suspicious PowerShell WindowStyle Option`
			`id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c`
$frack113$ Promotion rules (#3821 ) 2022-12-27 12:29:10 +01:00			`status: test`
$frack113$ Order yaml field 2022-10-26 09:43:39 +02:00			`description: \|`
$frack113$ Promotion rules (#3821 ) 2022-12-27 12:29:10 +01:00			`Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.`
			`In some cases, windows that would typically be displayed when an application carries out an operation can be hidden`
Update Ref+Selection 2022-07-11 14:11:53 +01:00			`references:`
			`- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md`
FP: call of window style hidden is embedded in AWS code. 2023-01-03 20:52:10 +00:00			`author: frack113, Tim Shelton (fp AWS)`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`date: 2021-10-20`
			`modified: 2023-01-03`
$frack113$ add powershell_suspicious_windowstyle 2021-10-20 13:57:24 +02:00			`tags:`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`- attack.defense-evasion`
$frack113$ add powershell_suspicious_windowstyle 2021-10-20 13:57:24 +02:00			`- attack.t1564.003`
			`logsource:`
			`product: windows`
			`category: ps_script`
feat: updates and enhancements 2023-01-04 17:49:32 +01:00			`definition: 'Requirements: Script Block Logging must be enabled'`
$frack113$ add powershell_suspicious_windowstyle 2021-10-20 13:57:24 +02:00			`detection:`
			`selection:`
Add missing definition fields and references 2022-07-07 19:13:01 +01:00			`ScriptBlockText\|contains\|all:`
$frack113$ add powershell_suspicious_windowstyle 2021-10-20 13:57:24 +02:00			`- 'powershell'`
			`- 'WindowStyle'`
			`- 'Hidden'`
FP: call of window style hidden is embedded in AWS code. 2023-01-03 20:52:10 +00:00			`filter:`
fix: enhance fp filter 2023-01-04 00:43:40 +01:00			`ScriptBlockText\|contains\|all:`
			`- ':\Program Files\Amazon\WorkSpacesConfig\Scripts\'`
			`- '$PSScriptRoot\Module\WorkspaceScriptModule\WorkspaceScriptModule'`
FP: call of window style hidden is embedded in AWS code. 2023-01-03 20:52:10 +00:00			`condition: selection and not filter`
$frack113$ add powershell_suspicious_windowstyle 2021-10-20 13:57:24 +02:00			`falsepositives:`
			`- Unknown`
Update Ref+Selection 2022-07-11 14:11:53 +01:00			`level: medium`