blue-team-tools/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml

title: Suspicious PowerShell WindowStyle Option
id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
status: test
description: |
    Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.
    In some cases, windows that would typically be displayed when an application carries out an operation can be hidden
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md
author: frack113, Tim Shelton (fp AWS)
date: 2021-10-20
modified: 2023-01-03
tags:
    - attack.defense-evasion
    - attack.t1564.003
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'powershell'
            - 'WindowStyle'
            - 'Hidden'
    filter:
        ScriptBlockText|contains|all:
            - ':\Program Files\Amazon\WorkSpacesConfig\Scripts\'
            - '$PSScriptRoot\Module\WorkspaceScriptModule\WorkspaceScriptModule'
    condition: selection and not filter
falsepositives:
    - Unknown
level: medium