285. That's How Stealit Hides PowerShell Window

Hello everyone!

Adversaries often hide command and scripting interpreter's windows to use such tools silently. Today we'll look at a creative way of implementing Hide Artifacts: Hidden Window (T1564.003).

Let's look at Stealit. To hide PowerShell window the malware leverages the folowing command:

"powershell.exe -NoProfile -Command " Add-Type -Name Window -Namespace Console -MemberDefinition ' [DllImport(\"Kernel32.dll\")] public static extern IntPtr GetConsoleWindow(); [DllImport(\"user32.dll\")] public static extern bool ShowWindow(IntPtr hWnd, Int32 nCmdShow); '; $consolePtr = [Console.Window]::GetConsoleWindow(); [Console.Window]::ShowWindow($consolePtr, 0); ""

Interesting, right? And definitely worth a query:

event_type: "processcreatewin"

AND

proc_file_path: "powershell.exe"

AND

cmdline: ("GetConsoleWindow" AND "ShowWindow")

See you tomorrow!

Comments

Popular posts from this blog

391. Hunting for TeamPCP's Stealer

343. Ransomware Gangs Abuse SystemSettingsAdminFlows to Evade Defenses

013. It Can Remove Rootkits. And Your EDR!