Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Suspicious PowerShell WindowStyle Option

Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François Hubaut, Tim Shelton (fp AWS)Created Wed Oct 20Updated Tue Jan 03313fbb0a-a341-4682-848d-6d6f8c4fab7cwindows
Log Source
WindowsPowerShell Script
ProductWindows← raw: windows
CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic
Detection Logic2 selectors
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'powershell'
            - 'WindowStyle'
            - 'Hidden'
    filter:
        ScriptBlockText|contains|all:
            - ':\Program Files\Amazon\WorkSpacesConfig\Scripts\'
            - '$PSScriptRoot\Module\WorkspaceScriptModule\WorkspaceScriptModule'
    condition: selection and not filter
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
313fbb0a-a341-4682-848d-6d6f8c4fab7c
Status
test
Level
medium
Type
Detection
Created
Wed Oct 20
Modified
Tue Jan 03
Author
François Hubaut, Tim Shelton (fp AWS)
Path
rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml
Raw Tags
attack.defense-evasionattack.t1564.003
View on GitHub