Originally published on medium.

Another article explaining my GitHub queries that I build for MS products (MS Defender & Azure Sentinel).

This query here can be used as part of threat hunting. I will talk about queries or posts that will explain how to form a threat hunting methodology in future posts.

Use case Name: Remote Services: Detect Hidden Windows Runs

Description: Monitor processes and command-line arguments for actions indicative of hidden windows.

MITRE Technique: https://attack.mitre.org/techniques/T1564/003/

MITRE Tactic: Defense Evasion

Hunting Query:

search in (DeviceEvents, DeviceProcessEvents, DeviceRegistryEvents, DeviceFileEvents)
"-WindowStyle Hidden" or "-w hidden" or "-W Hidden" or "-windowstyle hidden" or "ProcessWindowStyle.Hidden"
| where InitiatingProcessParentFileName == 'powershell.exe' and isnotempty(ProcessCommandLine)
| where InitiatingProcessCommandLine !contains "C:\\WINDOWS\\ccmcache\\" 
and InitiatingProcessCommandLine !contains @"\AppDeployToolkit\"

Query Explanation:

search in (DeviceEvents, DeviceProcessEvents, DeviceRegistryEvents, DeviceFileEvents)

We are going to be looking at the device events which could contain command lines and process trees.

"-WindowStyle Hidden" or "-w hidden" or "-W Hidden" or "-windowstyle hidden" or "ProcessWindowStyle.Hidden"

Using strings that are passed as command-line arguments for actions indicative of hidden windows.

| where InitiatingProcessParentFileName == 'powershell.exe' and isnotempty(ProcessCommandLine)

Exclude all the empty command line arguments and focus on arguments run only by “powershell.exe

| where InitiatingProcessCommandLine !contains "C:\\WINDOWS\\ccmcache\\" and InitiatingProcessCommandLine !contains @"\AppDeployToolkit\"

The last step & exclusion depends on the findings, results that vary from the environment/organization where this is run. I have excluded “ccmcache” which excludes all SCCM related executions and AppDeployToolkit which again is responsible for software installations on computers.

Find the code on GitHub here.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s