Add hide-graphical-window-from-taskbar.yml rule

mandiant · Jun 2, 2024 · 4e50e50 · 4e50e50
1 parent 4c2dec5
commit 4e50e50
Showing 1 changed file with 29 additions and 0 deletions.
diff --git a/host-interaction/gui/window/hide/hide-graphical-window-from-taskbar.yml b/host-interaction/gui/window/hide/hide-graphical-window-from-taskbar.yml
@@ -0,0 +1,29 @@
+rule:
+  meta:
+    name: hide graphical window from taskbar
+    namespace: host-interaction/gui/window/hide
+    authors:
+      - [email protected]
+    scopes:
+      static: basic block
+      dynamic: call
+    att&ck:
+      - Defense Evasion::Hide Artifacts::Hidden Window [T1564.003]
+    references:
+      - https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getwindowlongptrw
+      - https://learn.microsoft.com/en-us/windows/win32/winmsg/extended-window-styles
+      - https://dreamlayers.blogspot.com/2010/12/hiding-window-from-taskbar-using.html
+    examples:
+      - 79252f58d486aee8c08a8a7ebd36ae11ab5798b289e7f88e71eacf8637c340cc:0x180004B22
+  features:
+    - and:
+      - api: GetWindowLongPtr
+      - api: SetWindowLongPtr
+      - number: 0x0FFFFFFEC = GWL_EXSTYLE (-20)
+      - or:
+        - instruction:
+          - mnemonic: or
+          - operand[1].number: 0x80 = WS_EX_TOOLWINDOW
+        - instruction:
+          - mnemonic: bts
+          - operand[1].number: 0x7