Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0360: Analytic 0360

Suspicious use of scripting parameters or registry edits to hide process windows (e.g., powershell.exe -WindowStyle Hidden, or registry modifications pushing window positions off screen). Defender view: correlation of hidden execution with anomalous process lineage or hVNC-like CreateDesktop API calls.

EnterpriseAN0360AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic highlights a Windows behavior where a process is intentionally run or configured so its window is hidden, such as hidden PowerShell execution or registry changes that move windows off screen. For leaders, the value is not that every hidden window is malicious, but that hidden execution can reduce user visibility and complicate incident triage when paired with unusual process lineage or desktop-manipulation activity.

Executive priority

Prioritize this as a validation item for Windows endpoint visibility and SOC triage quality. Security leaders should ask whether teams can prove they collect process command lines, parent-child process context, and relevant registry activity needed to distinguish legitimate automation from suspicious hidden execution. Because ATT&CK provides no tactic mapping or relationship context for this object, treat it as a defensive analytic coverage check rather than a standalone risk conclusion.

Technical view

For SOC and detection engineering teams, validate detection logic around Windows processes launched with hidden-window parameters, especially scripting hosts such as powershell.exe using options like '-WindowStyle Hidden' as described by MITRE. Also validate coverage for registry edits that alter window placement and for correlation with anomalous process lineage or hVNC-like CreateDesktop API activity. Since no official detection logic is provided, teams should build and tune locally using known-good administrative scripts, software deployment tooling, and baseline process lineage.

Likely telemetry

  • Windows process creation events with full command-line arguments
  • Parent-child process lineage for Windows processes
  • Registry modification telemetry related to window positioning or display behavior
  • Endpoint telemetry capable of identifying CreateDesktop API activity or similar desktop/session manipulation
  • User, host, and execution context needed to separate managed automation from unusual interactive activity

Detection direction

  • Do not alert on hidden-window parameters alone without tuning; legitimate scripts and administrative automation may use hidden execution.
  • Correlate hidden execution with unusual parent processes, unexpected users, rare hosts, or other suspicious execution context.
  • Review whether registry-based window hiding is visible in current endpoint or Windows logging coverage.
  • If CreateDesktop API or hVNC-like desktop behavior is monitored, use it as higher-value context rather than relying only on command-line strings.
  • Document blind spots where command-line logging, registry monitoring, or endpoint API telemetry is absent.

Mitigation priorities

  • Ensure Windows endpoint logging captures process command lines and parent-child relationships.
  • Enable or validate registry monitoring for relevant persistence, concealment, or UI-manipulation changes where operationally feasible.
  • Establish baselines for approved administrative scripts and software deployment tools that legitimately use hidden execution.
  • Use least privilege and script execution governance to reduce unnecessary hidden scripting activity.
  • Feed tuned detections into incident response playbooks so analysts verify user context, process lineage, and host role before escalation.
Analyst notes and limits

This object is a detection analytic for Windows only. It describes suspicious hidden-window execution and recommends correlation with anomalous lineage or hVNC-like CreateDesktop API calls, but it does not provide a formal detection query, tactic mapping, or related ATT&CK objects. Local baselining is essential because hidden execution can occur in legitimate administration.

The supplied ATT&CK fields include no official detection logic, no tactics, no relationships, and no evidence of active exploitation or attribution. Coverage and priority must be confirmed against the organization’s Windows telemetry, logging configuration, and approved automation practices.

Official MITRE ATT&CK definition

Analytic 0360

Suspicious use of scripting parameters or registry edits to hide process windows (e.g., powershell.exe -WindowStyle Hidden, or registry modifications pushing window positions off screen). Defender view: correlation of hidden execution with anomalous process lineage or hVNC-like CreateDesktop API calls.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
5dd9309968b7ed33...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 5dd9309968b7…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0360
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use