Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Hide Artifacts:  Скрытое окно

Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. Adversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.(Citation: Antiquated Mac Malware) On macOS, the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock. Similarly, on Windows there are a variety of features in scripting languages, such as PowerShell, Jscript, and Visual Basic to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden.(Citation: PowerShell About 2019) In addition, Windows supports the `CreateDesktop()` API that can create a hidden desktop window with its own corresponding explorer.exe process.(Citation: Hidden VNC)(Citation: Anatomy of an hVNC Attack) All applications running on the hidden desktop window, such as a hidden VNC (hVNC) session,(Citation: Hidden VNC) will be invisible to other desktops windows.

ID: T1564.003
Относится к технике:  T1564
Тактика(-и): Defense Evasion
Платформы: Linux, macOS, Windows
Источники данных: Command: Command Execution, File: File Modification, Process: Process Creation, Script: Script Execution
Версия: 1.2
Дата создания: 13 Mar 2020
Последнее изменение: 13 Apr 2024

Примеры процедур

Название Описание
Astaroth

Astaroth loads its module with the XSL script parameter vShow set to zero, which opens the application with a hidden window. (Citation: Cybereason Astaroth Feb 2019)

QuietSieve

QuietSieve has the ability to execute payloads in a hidden window.(Citation: Microsoft Actinium February 2022)

StrongPity

StrongPity has the ability to hide the console window for its document search module from the user.(Citation: Talos Promethium June 2020)

Kevin

Kevin can hide the current window from the targeted user via the `ShowWindow` API function.(Citation: Kaspersky Lyceum October 2021)

APT3

APT3 has been known to use -WindowStyle Hidden to conceal PowerShell windows.(Citation: FireEye Operation Double Tap)

APT28

APT28 has used the WindowStyle parameter to conceal PowerShell windows.(Citation: Palo Alto Sofacy 06-2018) (Citation: McAfee APT28 DDE1 Nov 2017)

APT19

APT19 used -W Hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden. (Citation: FireEye APT19)

Koadic

Koadic has used the command Powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden to hide its window.(Citation: MalwareBytes LazyScripter Feb 2021)

HAMMERTOSS

HAMMERTOSS has used -WindowStyle hidden to conceal PowerShell windows.(Citation: FireEye APT29)

SILENTTRINITY

SILENTTRINITY has the ability to set its window state to hidden.(Citation: GitHub SILENTTRINITY Modules July 2019)

QuasarRAT

QuasarRAT can hide process windows and make web requests invisible to the compromised user. Requests marked as invisible have been sent with user-agent string `Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A` though QuasarRAT can only be run on Windows systems.(Citation: CISA AR18-352A Quasar RAT December 2018)

KeyBoy

KeyBoy uses -w Hidden to conceal a PowerShell window that downloads a payload. (Citation: PWC KeyBoys Feb 2017)

SharpDisco

SharpDisco can hide windows using `ProcessWindowStyle.Hidden`.(Citation: MoustachedBouncer ESET August 2023)

MCMD

MCMD can modify processes to prevent them from being visible on the desktop.(Citation: Secureworks MCMD July 2019)

KOCTOPUS

KOCTOPUS has used -WindowsStyle Hidden to hide the command window.(Citation: MalwareBytes LazyScripter Feb 2021)

BONDUPDATER

BONDUPDATER uses -windowstyle hidden to conceal a PowerShell window that downloads a payload.(Citation: FireEye APT34 Dec 2017)

Deep Panda

Deep Panda has used -w hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden. (Citation: Alperovitch 2014)

Agent Tesla

Agent Tesla has used ProcessWindowStyle.Hidden to hide windows.(Citation: Malwarebytes Agent Tesla April 2020)

AsyncRAT

AsyncRAT can hide the execution of scheduled tasks using `ProcessWindowStyle.Hidden`.(Citation: Telefonica Snip3 December 2021)

Kivars

Kivars has the ability to conceal its activity through hiding active windows.(Citation: TrendMicro BlackTech June 2017)

Gorgon Group

Gorgon Group has used -W Hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden. (Citation: Unit 42 Gorgon Group Aug 2018)

CopyKittens

CopyKittens has used -w hidden and -windowstyle hidden to conceal PowerShell windows. (Citation: ClearSky Wilted Tulip July 2017)

QUIETCANARY

QUIETCANARY can execute processes in a hidden window.(Citation: Mandiant Suspected Turla Campaign February 2023)

Higaisa

Higaisa used a payload that creates a hidden window.(Citation: PTSecurity Higaisa 2020)

Gamaredon Group

Gamaredon Group has used hidcon to run batch files in a hidden console window.(Citation: Unit 42 Gamaredon February 2022)

DarkHydrus

DarkHydrus has used -WindowStyle Hidden to conceal PowerShell windows. (Citation: Unit 42 DarkHydrus July 2018)

WarzoneRAT

WarzoneRAT has the ability of performing remote desktop access via a hVNC window for decreased visibility.(Citation: Bitdefender Trickbot VNC module Whitepaper 2021)

AvosLocker

AvosLocker has hidden its console window by using the `ShowWindow` API function.(Citation: Malwarebytes AvosLocker Jul 2021)

IMAPLoader

IMAPLoader hides the Windows Console window created by its execution by directly importing the `kernel32.dll` and `user32.dll` libraries `GetConsoleWindow` and `ShowWindow` APIs.(Citation: PWC Yellow Liderc 2023)

ToddyCat

ToddyCat has hidden malicious scripts using `powershell.exe -windowstyle hidden`. (Citation: Kaspersky ToddyCat Check Logs October 2023)

Meteor

Meteor can hide its console window upon execution to decrease its visibility to a victim.(Citation: Check Point Meteor Aug 2021)

Nomadic Octopus

Nomadic Octopus executed PowerShell in a hidden window.(Citation: ESET Nomadic Octopus 2018)

InvisiMole

InvisiMole has executed legitimate tools in hidden windows.(Citation: ESET InvisiMole June 2020)

Kimsuky

Kimsuky has used an information gathering module that will hide an AV software window from the victim.(Citation: Talos Kimsuky Nov 2021)

APT32

APT32 has used the WindowStyle parameter to conceal PowerShell windows. (Citation: FireEye APT32 May 2017) (Citation: Cybereason Cobalt Kitty 2017)

PowerShower

PowerShower has added a registry key so future powershell.exe instances are spawned with coordinates for a window position off-screen by default.(Citation: Unit 42 Inception November 2018)

Magic Hound

Magic Hound malware has a function to determine whether the C2 server wishes to execute the newly dropped file in a hidden window.(Citation: Unit 42 Magic Hound Feb 2017)

TrickBot

TrickBot has used a hidden VNC (hVNC) window to monitor the victim and collect information stealthily.(Citation: Emotet Deploys TrickBot)

Snip3

Snip3 can execute PowerShell scripts in a hidden window.(Citation: Morphisec Snip3 May 2021)

WindTail

WindTail can instruct the OS to execute an application without a dock icon or menu.(Citation: objective-see windtail1 dec 2018)

Metamorfo

Metamorfo has hidden its GUI using the ShowWindow() WINAPI call.(Citation: Medium Metamorfo Apr 2020)

Cuba

Cuba has executed hidden PowerShell windows.(Citation: McAfee Cuba April 2021)

HotCroissant

HotCroissant has the ability to hide the window for operations performed on a given file.(Citation: Carbon Black HotCroissant April 2020)

Ursnif

Ursnif droppers have used COM properties to execute malware in hidden windows.(Citation: Bromium Ursnif Mar 2017)

Контрмеры

Контрмера Описание
Execution Prevention

Block execution of code on a system through application control, and/or script blocking.

Limit Software Installation

Block users or groups from installing unapproved software.

Обнаружение

Monitor processes and command-line arguments for actions indicative of hidden windows. In Windows, enable and configure event logging and PowerShell logging to check for the hidden window style. In MacOS, plist files are ASCII text files with a specific format, so they're relatively easy to parse. File monitoring can check for the apple.awt.UIElement or any other suspicious plist tag in plist files and flag them.

Ссылки

  1. Wheeler, S. et al.. (2019, May 1). About PowerShell.exe. Retrieved October 11, 2019.
  2. Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.
  3. Keshet, Lior. Kessem, Limor. (2017, January 25). Anatomy of an hVNC Attack. Retrieved November 28, 2023.
  4. Hutchins, Marcus. (2015, September 13). Hidden VNC for Beginners. Retrieved November 28, 2023.
  5. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
  6. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
  7. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
  8. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
  9. Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
  10. Sherstobitoff, R., Rea, M. (2017, November 7). Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack. Retrieved November 21, 2017.
  11. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  12. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.
  13. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
  14. FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015.
  15. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  16. CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022.
  17. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
  18. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
  19. Safran, Or. Asinovsky, Pavel. (2017, November). Who Hid My Desktop: Deep Dive Into HVNC. Retrieved November 28, 2023.
  20. Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.
  21. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  22. Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014.
  23. Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020.
  24. Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023.
  25. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
  26. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  27. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  28. Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.
  29. PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021.
  30. Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022.
  31. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  32. Radu Tudorica. (2021, July 12). A Fresh Look at Trickbot’s Ever-Improving VNC Module. Retrieved September 28, 2021.
  33. Hasherezade. (2021, July 23). AvosLocker enters the ransomware scene, asks for partners. Retrieved January 11, 2023.
  34. PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved August 14, 2024.
  35. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
  36. Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022.
  37. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.
  38. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  39. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  40. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  41. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  42. Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020.
  43. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  44. Cybereason Nocturnus. (n.d.). Triple Threat: Emotet Deploys TrickBot to Steal Data & Spread Ryuk. Retrieved November 28, 2023.
  45. Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023.
  46. Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019.
  47. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  48. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.
  49. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
  50. Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019.

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.