Description
Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks.
Adversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.(Citation: Antiquated Mac Malware)
On macOS, the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock.
Similarly, on Windows there are a variety of features in scripting languages, such as PowerShell, Jscript, and Visual Basic to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden.(Citation: PowerShell About 2019)
The Windows Registry can also be edited to hide application windows from the current user. For example, by setting the WindowPosition subkey in the HKEY_CURRENT_USER\Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_PowerShell.exe Registry key to a maximum value, PowerShell windows will open off screen and be hidden.(Citation: Cantoris Computing)
In addition, Windows supports the CreateDesktop() API that can create a hidden desktop window with its own corresponding explorer.exe process.(Citation: Hidden VNC)(Citation: Anatomy of an hVNC Attack) All applications running on the hidden desktop window, such as a hidden VNC (hVNC) session,(Citation: Hidden VNC) will be invisible to other desktops windows.
Adversaries may also leverage cmd.exe(Citation: Cybereason - Hidden Malicious Remote Access) as a parent process, and then utilize a LOLBin, such as DeviceCredentialDeployment.exe,(Citation: LOLBAS Project GitHub Device Cred Dep)(Citation: SecureList BlueNoroff Device Cred Dev) to hide windows.
Platforms
Mitigations (2)
Execution PreventionM1038
Limit or restrict program execution using anti-virus software. On MacOS, allowlist programs that are allowed to have the plist tag. All other programs should be considered suspicious.
Limit Software InstallationM1033
Restrict the installation of software that may be abused to create hidden desktops, such as hVNC, to user groups that require it.
Threat Groups (18)
| ID | Group | Context |
|---|---|---|
| G0022 | APT3 | [APT3](https://attack.mitre.org/groups/G0022) has been known to use <code>-WindowStyle Hidden</code> to conceal [PowerShell](https://attack.mitre.org/... |
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has utilized PowerShell scripts that run without notifying the user of its execution to includ... |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) has used the WindowStyle parameter to conceal [PowerShell](https://attack.mitre.org/techniques/T1059/00... |
| G0073 | APT19 | [APT19](https://attack.mitre.org/groups/G0073) used <code>-W Hidden</code> to conceal [PowerShell](https://attack.mitre.org/techniques/T1059/001) wind... |
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) has used .txt files to conceal PowerShell commands.(Citation: Gemini_FIN7_Jan2022) |
| G1051 | Medusa Group | [Medusa Group](https://attack.mitre.org/groups/G1051) has utilized the `ShowWindow` API function to hide the current window.(Citation: Security Scorec... |
| G0009 | Deep Panda | [Deep Panda](https://attack.mitre.org/groups/G0009) has used <code>-w hidden</code> to conceal [PowerShell](https://attack.mitre.org/techniques/T1059/... |
| G0078 | Gorgon Group | [Gorgon Group](https://attack.mitre.org/groups/G0078) has used <code>-W Hidden</code> to conceal [PowerShell](https://attack.mitre.org/techniques/T105... |
| G0052 | CopyKittens | [CopyKittens](https://attack.mitre.org/groups/G0052) has used <code>-w hidden</code> and <code>-windowstyle hidden</code> to conceal [PowerShell](http... |
| G0126 | Higaisa | [Higaisa](https://attack.mitre.org/groups/G0126) used a payload that creates a hidden window.(Citation: PTSecurity Higaisa 2020) |
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has used <code>hidcon</code> to run batch files in a hidden console window.(Citation: Unit 42... |
| G0079 | DarkHydrus | [DarkHydrus](https://attack.mitre.org/groups/G0079) has used <code>-WindowStyle Hidden</code> to conceal [PowerShell](https://attack.mitre.org/techniq... |
| G1022 | ToddyCat | [ToddyCat](https://attack.mitre.org/groups/G1022) has hidden malicious scripts using `powershell.exe -windowstyle hidden`. (Citation: Kaspersky ToddyC... |
| G0133 | Nomadic Octopus | [Nomadic Octopus](https://attack.mitre.org/groups/G0133) executed PowerShell in a hidden window.(Citation: ESET Nomadic Octopus 2018) |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used an information gathering module that will hide an AV software window from the victim.(Citati... |
| G0099 | APT-C-36 | [APT-C-36](https://attack.mitre.org/groups/G0099) has set the ShowWindow property of the Win32_ProcessStartup object to zero to hide PowerShell execut... |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) has used the WindowStyle parameter to conceal [PowerShell](https://attack.mitre.org/techniques/T1059/00... |
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) malware has a function to determine whether the C2 server wishes to execute the newly dropped fil... |
Associated Software (43)
| ID | Name | Type | Context |
|---|---|---|---|
| S0373 | Astaroth | Malware | [Astaroth](https://attack.mitre.org/software/S0373) loads its module with the XSL script parameter <code>vShow</code> set to zero, which opens the app... |
| S0686 | QuietSieve | Malware | [QuietSieve](https://attack.mitre.org/software/S0686) has the ability to execute payloads in a hidden window.(Citation: Microsoft Actinium February 20... |
| S0491 | StrongPity | Malware | [StrongPity](https://attack.mitre.org/software/S0491) has the ability to hide the console window for its document search module from the user.(Citatio... |
| S1199 | LockBit 2.0 | Malware | [LockBit 2.0](https://attack.mitre.org/software/S1199) can execute command line arguments in a hidden window.(Citation: Palo Alto Lockbit 2.0 JUN 2022... |
| S1020 | Kevin | Malware | [Kevin](https://attack.mitre.org/software/S1020) can hide the current window from the targeted user via the `ShowWindow` API function.(Citation: Kaspe... |
| S0250 | Koadic | Tool | [Koadic](https://attack.mitre.org/software/S0250) has used the command <code>Powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden</code> to hide... |
| S0037 | HAMMERTOSS | Malware | [HAMMERTOSS](https://attack.mitre.org/software/S0037) has used <code>-WindowStyle hidden</code> to conceal [PowerShell](https://attack.mitre.org/techn... |
| S0692 | SILENTTRINITY | Tool | [SILENTTRINITY](https://attack.mitre.org/software/S0692) has the ability to set its window state to hidden.(Citation: GitHub SILENTTRINITY Modules Jul... |
| S0262 | QuasarRAT | Tool | [QuasarRAT](https://attack.mitre.org/software/S0262) can hide process windows and make web requests invisible to the compromised user. Requests marked... |
| S0387 | KeyBoy | Malware | [KeyBoy](https://attack.mitre.org/software/S0387) uses <code>-w Hidden</code> to conceal a [PowerShell](https://attack.mitre.org/techniques/T1059/001)... |
| S1089 | SharpDisco | Malware | [SharpDisco](https://attack.mitre.org/software/S1089) can hide windows using `ProcessWindowStyle.Hidden`.(Citation: MoustachedBouncer ESET August 2023... |
| S0500 | MCMD | Tool | [MCMD](https://attack.mitre.org/software/S0500) can modify processes to prevent them from being visible on the desktop.(Citation: Secureworks MCMD Jul... |
| S0669 | KOCTOPUS | Malware | [KOCTOPUS](https://attack.mitre.org/software/S0669) has used <code>-WindowsStyle Hidden</code> to hide the command window.(Citation: MalwareBytes Lazy... |
| S9010 | GlassWorm | Malware | [GlassWorm](https://attack.mitre.org/software/S9010) has leveraged Hidden Virtual Network Computing (HVNC) to remain undetected and conduct execution ... |
| S0360 | BONDUPDATER | Malware | [BONDUPDATER](https://attack.mitre.org/software/S0360) uses <code>-windowstyle hidden</code> to conceal a [PowerShell](https://attack.mitre.org/techni... |
| S1172 | OilBooster | Malware | [OilBooster](https://attack.mitre.org/software/S1172) can hide its console window upon execution through the `ShowWindow` API. (Citation: ESET OilRig ... |
| S9001 | SystemBC | Malware | [SystemBC](https://attack.mitre.org/software/S9001) has utilized the `-WindowStyle Hidden -ep bypass -file `to conceal PowerShell windows.(Citation: S... |
| S1226 | BOOKWORM | Malware | [BOOKWORM](https://attack.mitre.org/software/S1226) has created a hidden window when conducting key logging and clipboard theft through its KBLogger.d... |
| S0331 | Agent Tesla | Malware | [Agent Tesla](https://attack.mitre.org/software/S0331) has used <code>ProcessWindowStyle.Hidden</code> to hide windows.(Citation: Malwarebytes Agent T... |
| S1087 | AsyncRAT | Tool | [AsyncRAT](https://attack.mitre.org/software/S1087) can hide the execution of scheduled tasks using `ProcessWindowStyle.Hidden`.(Citation: Telefonica... |
References
- Cantoris. (2016, July 22). PowerShell Malware. Retrieved December 12, 2024.
- Cybereason Security Services Team. (n.d.). Behind Closed Doors: The Rise of Hidden Malicious Remote Access. Retrieved July 22, 2025.
- Elliot Killick. (n.d.). /DeviceCredentialDeployment.exe. Retrieved July 22, 2025.
- Hutchins, Marcus. (2015, September 13). Hidden VNC for Beginners. Retrieved November 28, 2023.
- Keshet, Lior. Kessem, Limor. (2017, January 25). Anatomy of an hVNC Attack. Retrieved November 28, 2023.
- Seongsu Park. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved July 22, 2025.
- Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.
- Wheeler, S. et al.. (2019, May 1). About PowerShell.exe. Retrieved October 11, 2019.
Frequently Asked Questions
What is T1564.003 (Hidden Window)?
T1564.003 is a MITRE ATT&CK technique named 'Hidden Window'. It belongs to the Stealth tactic(s). Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation ca...
How can T1564.003 be detected?
Detection of T1564.003 (Hidden Window) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1564.003?
There are 2 documented mitigations for T1564.003. Key mitigations include: Execution Prevention, Limit Software Installation.
Which threat groups use T1564.003?
Known threat groups using T1564.003 include: APT3, VOID MANTICORE, APT28, APT19, FIN7, Medusa Group, Deep Panda, Gorgon Group.