PowerShell supports a command line parameter “WindowStyle” as shown below. The parameter “WindowStyle” sets the window style for that session. Valid values are Normal, Minimized, Maximized, and Hidden.
PowerShell[.exe]
[-PSConsoleFile <file> | -Version <version>]
[-NoLogo]
[-NoExit]
[-Sta]
[-Mta]
[-NoProfile]
[-NonInteractive]
[-InputFormat {Text | XML}]
[-OutputFormat {Text | XML}]
[-WindowStyle <style>]
[-EncodedCommand <Base64EncodedCommand>]
[-ConfigurationName <string>]
[-File - | <filePath> <args>]
[-ExecutionPolicy <ExecutionPolicy>]
[-Command - | { <script-block> [-args <arg-array>] }
| { <string> [<CommandParameters>] } ]Unhide PowerShell
Most malicious PowerShell scripts run PowerShell with the window style “Hidden”. When the process starts with WindowStyle hidden, no PowerShell console is displayed, so it runs unnoticed for the logged-in user. I created a script to unhide all PowerShell processes. This script can be used during a CERT incident when you want to unhide all PowerShell shells to see what commands are used.
Conclusion
There are ways to log PowerShell commands, but when logs are cleared, unhiding is an option.
The PowerShell script can be found here.
Microsoft Security Blog 