Skip to content

Latest commit

 

History

History
129 lines (63 loc) · 4.33 KB

T1564.003.md

File metadata and controls

129 lines (63 loc) · 4.33 KB
Raw

T1564.003 - Hide Artifacts: Hidden Window

Description from ATT&CK

Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks.

Adversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.(Citation: Antiquated Mac Malware)

On macOS, the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock.

Similarly, on Windows there are a variety of features in scripting languages, such as PowerShell, Jscript, and Visual Basic to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden.(Citation: PowerShell About 2019)

In addition, Windows supports the CreateDesktop() API that can create a hidden desktop window with its own corresponding explorer.exe process.(Citation: Hidden VNC)(Citation: Anatomy of an hVNC Attack) All applications running on the hidden desktop window, such as a hidden VNC (hVNC) session,(Citation: Hidden VNC) will be invisible to other desktops windows.

Atomic Tests


Atomic Test #1 - Hidden Window

Launch PowerShell with the "-WindowStyle Hidden" argument to conceal PowerShell windows by setting the WindowStyle parameter to hidden. Upon execution a hidden PowerShell window will launch calc.exe

Supported Platforms: Windows

auto_generated_guid: f151ee37-9e2b-47e6-80e4-550b9f999b7a

Inputs:

Name Description Type Default Value
powershell_command Command to launch calc.exe from a hidden PowerShell Window string powershell.exe -WindowStyle hidden calc.exe

Attack Commands: Run with powershell!

Start-Process #{powershell_command}


Atomic Test #2 - Headless Browser Accessing Mockbin

The following Atomic Red Team test leverages the Chrome headless browser to access a mockbin site. Create your own Mockbin.org site and replace the BIN in the inputs. The default Mockbin ID forwards to google.com and you may view the details here https://mockbin.org/bin/f6b9a876-a826-4ac0-83b8-639d6ad516ec/view. Reference: https://cert.gov.ua/article/5702579

Supported Platforms: Windows

auto_generated_guid: 0ad9ab92-c48c-4f08-9b20-9633277c4646

Inputs:

Name Description Type Default Value
bin_id Mockbin.org BIN ID string f6b9a876-a826-4ac0-83b8-639d6ad516ec
browser Browser to use (msedge, chrome, firefox) string chrome

Attack Commands: Run with command_prompt!

start "" #{browser} --headless --disable-gpu https://mockbin.org/bin/#{bin_id}

Cleanup Commands:

taskkill /im #{browser} /f


Atomic Test #3 - Hidden Window-Conhost Execution

Launch conhost.exe in "headless" mode, it means that no visible window will pop up on the victim's machine. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity. conhost.exe can be used as proxy the execution of arbitrary commands

Supported Platforms: Windows

auto_generated_guid: 5510d22f-2595-4911-8456-4d630c978616

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

conhost.exe --headless calc.exe

Cleanup Commands:

Stop-Process -Name calc*