Phase 1·T1059.001·Easy
Detecting Hidden-Window PowerShell
PowerShell launched with -WindowStyle Hidden is rarely benign on workstations.
#Windows#PowerShell
Detection Objective
Alert on -w hidden / -WindowStyle Hidden usage on interactive endpoints.
Real-World Attack Scenario
Loaders launch hidden PowerShell so the victim sees no UI flash. Combined with -nop and -enc, the pattern is high-confidence malicious.
Why This Detection Matters
Cheap, high-precision behavioral indicator.
ATT&CK Mapping
T1059.001 · PowerShell
Tactic: Execution
Required Telemetry
- SysmonEID 1 command line
Windows Event IDs
4688
Sysmon Event IDs
1
Wazuh Log Source
Sysmon/Operational
Setup Steps
- Enable command-line capture for 4688 or use Sysmon EID 1.
Safe Validation Command
Spawn a hidden PowerShell that exits immediately.
powershell.exe -nop -w hidden -c "exit"⚠ lab use only · this project does not execute real malware
Expected Log Output
Sysmon EID 1
CommandLine: powershell.exe -nop -w hidden -c "exit"Detection Logic (Wazuh rule concept)
Image ends with powershell.exe AND CommandLine matches /(?i)-w(indowstyle)?\s+hidden/False Positives
- Scheduled tasks intentionally running hidden
Tuning Recommendations
- Allowlist by signed parent or known SchedTask path.
Analyst Triage Notes
- Check parent process and user session type.
Detection Improvement Ideas
- Score higher when paired with -nop, -enc, or short-lived process.
log analysis layer
Detection is not complete until the logs prove what happened. The sections below show the telemetry produced by the validation above, how to read it like an analyst, and why this pattern matters.
siem · log evidence
rule 100529
Detecting Hidden-Window PowerShell
Sysmon/Operational
Event ID
Sysmon EID 1
Image
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Parent
C:\Windows\explorer.exe
CommandLine
powershell.exe -nop -w hidden -c "exit"
User
CORP\j.doe
Agent
WIN10-LAB-01
Timestamp
2026-05-26T14:32:11Z
analyst note
Check parent process and user session type.
Parent → Child Analysis
explorer.exe → powershell.exe — review whether this lineage is expected for WIN10-LAB-01 and user CORP\j.doe.
Command-Line Flags Observed
- -WindowStyle HiddenSuppresses the console window — rare for legitimate user workflows.
- -NoProfile / -nopSkips profile scripts so attacker code runs in a clean, predictable environment.
Parsed Fields the Analyst Reads
- Image — Process binary that executed — confirms PowerShell.C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- ParentImage — Who launched it — context for legitimacy.C:\Windows\explorer.exe
- CommandLine — Arguments — where attacker intent shows up.powershell.exe -nop -w hidden -c "exit"
- User — Account context — service vs interactive vs SYSTEM.CORP\j.doe
- EventID — Telemetry channel and event type.Sysmon EID 1
- Wazuh Rule ID — Rule that matched and produced this alert.100529
- Agent — Endpoint that produced the telemetry.WIN10-LAB-01
- Timestamp — When it happened — anchor for correlation.2026-05-26T14:32:11Z
Malicious Pattern
pattern
Hidden-Window PowerShell
description
Loaders launch hidden PowerShell so the victim sees no UI flash. Combined with -nop and -enc, the pattern is high-confidence malicious.
analyst takeaway
Cheap, high-precision behavioral indicator. Treat this signal as higher-risk when combined with suspicious parents, hidden windows, download cradles, or unusual user context.
proof the detection worked
test command
powershell.exe -nop -w hidden -c "exit"expected event
Sysmon EID 1 on WIN10-LAB-01 with Image=powershell.exe and the validation command above in CommandLine.
expected wazuh alert
Wazuh rule 100529 — "Detecting Hidden-Window PowerShell" fires at a level matching severity=medium.
confirming log fields
ImageParentImageCommandLineUserEventID
analyst interpretation
The recorded fields satisfy every clause of the detection logic. Parent process, user context, and command-line arguments together prove the behavior was observed end to end.
conclusion
Detection succeeded: telemetry was captured, the rule matched, and the alert reached the analyst with enough context to triage.