Home/ MITRE Matrix/ Defense Evasion/ T1564.003

T1564.003Hidden Window

T1564.003 — Hidden Window is a MITRE ATT&CK technique in the Defense Evasion tactic. Clankerusecase tracks 8 detection use cases covering it and 6 threat-intel articles citing it.

Defense Evasion

View on the matrix → Filter Detection Library MITRE official spec ↗

8Use cases

6Articles

0Sub-techniques

1Tactic

↑ Parent technique: T1564 · Hide Artifacts

Use cases covering this technique (8)

Headless Browser Mockbin or Mocky Request ESCU actions · alerting P Headless Browser Usage ESCU actions · hunting P Windows ConHost with Headless Argument ESCU actions · alerting P [LLM] Kimsuky JSE dropper: wscript -> powershell hidden + certutil -decode chain Bespoke delivery · alerting DSΣPDD [LLM] Four-way node.exe -e fanout spawned from VSCode shell descendants (BlokTrooper stage-2) Bespoke install · alerting DSPDDCS [LLM] APT28 MacroMaze: Edge launched off-screen or headless to webhook.site by non-browser parent Bespoke c2 · alerting DSΣP [LLM] VS Code (Code.exe/node) drops payload to %TEMP%\Lightshot staging directory Bespoke delivery · hunting DSΣPDDCS [LLM] Bun/Node executing the Sha1-Hulud worm payload (setup_bun.js / bun_environment.js) Bespoke install · alerting DSΣPDDCS

Articles citing this technique (6)

crit Kimsuky targets organizations with PebbleDash-based tools art-308

crit fast-draft Open VSX Extension Compromised by BlokTrooper art-459

crit Operation MacroMaze: new APT28 campaign using basic tooling and legit infrastructure art-542

high Fake Clawdbot VS Code Extension Installs ScreenConnect RAT art-594

crit LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan art-642

high Sha1-Hulud: The Second Coming - Zapier, ENS Domains, and Other Prominent NPM Packages Compromised art-653