title: Suspicious PowerShell WindowStyle Option
author: frack113
date: 2021/10/20
description: Adversaries may use hidden windows to conceal malicious activity from
  the plain sight of users. In some cases, windows that would typically be displayed
  when an application carries out an operation can be hidden
detection:
  SELECTION_1:
    ScriptBlockText: '*powershell*'
  SELECTION_2:
    ScriptBlockText: '*WindowStyle*'
  SELECTION_3:
    ScriptBlockText: '*Hidden*'
  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unknown
id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
level: medium
logsource:
  category: ps_script
  product: windows
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md
status: experimental
tags:
- attack.defense_evasion
- attack.t1564.003