Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Скрытое окно
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Скрытое окно
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Hide Artifacts:  Скрытое окно

ID Название
.001 Скрытые файлы и каталоги
.002 Скрытые пользователи
.003 Скрытое окно
.004 Атрибуты файла NTFS
.005 Скрытая файловая система
.006 Запуск виртуальной машины
.007 Сокрытие в скомпилированном VBA-коде
.008 Правила для сокрытия писем
.009 Разветвление ресурсов
.010 Подмена аргументов процесса

Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. On Windows, there are a variety of features in scripting languages in Windows, such as PowerShell, Jscript, and Visual Basic to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden. (Citation: PowerShell About 2019) Similarly, on macOS the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock. Adversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.(Citation: Antiquated Mac Malware)

ID: T1564.003
Относится к технике:  T1564
Тактика(-и): Defense Evasion
Платформы: Linux, macOS, Windows
Требуемые разрешения: User
Источники данных: Command: Command Execution, File: File Modification, Process: Process Creation, Script: Script Execution
Версия: 1.1
Дата создания: 13 Mar 2020
Последнее изменение: 15 Mar 2022

Примеры процедур
Название Описание
Astaroth

Astaroth loads its module with the XSL script parameter vShow set to zero, which opens the application with a hidden window. (Citation: Cybereason Astaroth Feb 2019)
QuietSieve

QuietSieve has the ability to execute payloads in a hidden window.(Citation: Microsoft Actinium February 2022)
StrongPity

StrongPity has the ability to hide the console window for its document search module from the user.(Citation: Talos Promethium June 2020)
Kevin

Kevin can hide the current window from the targeted user via the `ShowWindow` API function.(Citation: Kaspersky Lyceum October 2021)
APT3

APT3 has been known to use -WindowStyle Hidden to conceal PowerShell windows.(Citation: FireEye Operation Double Tap)
APT28

APT28 has used the WindowStyle parameter to conceal PowerShell windows.(Citation: Palo Alto Sofacy 06-2018) (Citation: McAfee APT28 DDE1 Nov 2017)
APT19

APT19 used -W Hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden. (Citation: FireEye APT19)
Koadic

Koadic has used the command Powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden to hide its window.(Citation: MalwareBytes LazyScripter Feb 2021)
HAMMERTOSS

HAMMERTOSS has used -WindowStyle hidden to conceal PowerShell windows.(Citation: FireEye APT29)
SILENTTRINITY

SILENTTRINITY has the ability to set its window state to hidden.(Citation: GitHub SILENTTRINITY Modules July 2019)
QuasarRAT

QuasarRAT can hide process windows and make web requests invisible to the compromised user. Requests marked as invisible have been sent with user-agent string `Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A` though QuasarRAT can only be run on Windows systems.(Citation: CISA AR18-352A Quasar RAT December 2018)
KeyBoy

KeyBoy uses -w Hidden to conceal a PowerShell window that downloads a payload. (Citation: PWC KeyBoys Feb 2017)
MCMD

MCMD can modify processes to prevent them from being visible on the desktop.(Citation: Secureworks MCMD July 2019)
KOCTOPUS

KOCTOPUS has used -WindowsStyle Hidden to hide the command window.(Citation: MalwareBytes LazyScripter Feb 2021)
BONDUPDATER

BONDUPDATER uses -windowstyle hidden to conceal a PowerShell window that downloads a payload.(Citation: FireEye APT34 Dec 2017)
Deep Panda

Deep Panda has used -w hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden. (Citation: Alperovitch 2014)
Agent Tesla

Agent Tesla has used ProcessWindowStyle.Hidden to hide windows.(Citation: Malwarebytes Agent Tesla April 2020)
Kivars

Kivars has the ability to conceal its activity through hiding active windows.(Citation: TrendMicro BlackTech June 2017)
Gorgon Group

Gorgon Group has used -W Hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden. (Citation: Unit 42 Gorgon Group Aug 2018)
CopyKittens

CopyKittens has used -w hidden and -windowstyle hidden to conceal PowerShell windows. (Citation: ClearSky Wilted Tulip July 2017)
Higaisa

Higaisa used a payload that creates a hidden window.(Citation: PTSecurity Higaisa 2020)
Gamaredon Group

Gamaredon Group has used hidcon to run batch files in a hidden console window.(Citation: Unit 42 Gamaredon February 2022)
DarkHydrus

DarkHydrus has used -WindowStyle Hidden to conceal PowerShell windows. (Citation: Unit 42 DarkHydrus July 2018)
Meteor

Meteor can hide its console window upon execution to decrease its visibility to a victim.(Citation: Check Point Meteor Aug 2021)
Nomadic Octopus

Nomadic Octopus executed PowerShell in a hidden window.(Citation: ESET Nomadic Octopus 2018)

InvisiMole

InvisiMole has executed legitimate tools in hidden windows.(Citation: ESET InvisiMole June 2020)
Kimsuky

Kimsuky has used an information gathering module that will hide an AV software window from the victim.(Citation: Talos Kimsuky Nov 2021)
APT32

APT32 has used the WindowStyle parameter to conceal PowerShell windows. (Citation: FireEye APT32 May 2017) (Citation: Cybereason Cobalt Kitty 2017)
PowerShower

PowerShower has added a registry key so future powershell.exe instances are spawned with coordinates for a window position off-screen by default.(Citation: Unit 42 Inception November 2018)
Magic Hound

Magic Hound malware has a function to determine whether the C2 server wishes to execute the newly dropped file in a hidden window.(Citation: Unit 42 Magic Hound Feb 2017)
WindTail

WindTail can instruct the OS to execute an application without a dock icon or menu.(Citation: objective-see windtail1 dec 2018)
Metamorfo

Metamorfo has hidden its GUI using the ShowWindow() WINAPI call.(Citation: Medium Metamorfo Apr 2020)

Cuba

Cuba has executed hidden PowerShell windows.(Citation: McAfee Cuba April 2021)

HotCroissant

HotCroissant has the ability to hide the window for operations performed on a given file.(Citation: Carbon Black HotCroissant April 2020)
Ursnif

Ursnif droppers have used COM properties to execute malware in hidden windows.(Citation: Bromium Ursnif Mar 2017)

Контрмеры
Контрмера Описание
Execution Prevention

Block execution of code on a system through application control, and/or script blocking.

Обнаружение

Monitor processes and command-line arguments for actions indicative of hidden windows. In Windows, enable and configure event logging and PowerShell logging to check for the hidden window style. In MacOS, plist files are ASCII text files with a specific format, so they're relatively easy to parse. File monitoring can check for the apple.awt.UIElement or any other suspicious plist tag in plist files and flag them.

Ссылки

  1. Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.
  2. Wheeler, S. et al.. (2019, May 1). About PowerShell.exe. Retrieved October 11, 2019.
  3. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
  4. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  5. Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014.
  6. Sherstobitoff, R., Rea, M. (2017, November 7). Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack. Retrieved November 21, 2017.
  7. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  8. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  9. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  10. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  11. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
  12. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  13. Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022.
  14. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.
  15. Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019.
  16. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.
  17. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  18. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
  19. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  20. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
  21. CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022.
  22. Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020.
  23. Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022.
  24. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.
  25. Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019.
  26. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
  27. Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
  28. Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020.
  29. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
  30. FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015.
  31. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
  32. PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021.
  33. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  34. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  35. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  36. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  37. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
  38. Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.