T1010

Application Window Discovery

Adversaries may attempt to get a listing of open application windows. Window listings convey information about how the system is used and help adversaries identify potential data sources and security tooling to evade. Malware families including Attor, njRAT, DarkWatchman, Grandoreiro, InvisiMole, and Lazarus Group tooling use this technique to obtain window titles and correlate them with keylogger output, identify running security products by window name, locate cryptocurrency wallets, and determine sandbox environments. Adversaries typically implement this via native Windows API functions (EnumWindows, GetForegroundWindow, FindWindow, GetWindowText from user32.dll), scripting languages using P/Invoke or COM automation, or automation tools such as AutoHotkey and AutoIt. On Linux and macOS, adversaries may use xdotool, wmctrl, or Quartz/Cocoa APIs to achieve equivalent capability.

Microsoft Sentinel / Defender

kusto

let WindowAPIFunctions = dynamic([
    "GetForegroundWindow", "EnumWindows", "FindWindow", "GetWindowText",
    "GetActiveWindow", "EnumChildWindows", "GetWindowLong", "GetWindowRect",
    "FindWindowEx", "GetWindowInfo"
]);
// Vector 1: Script interpreters referencing window enumeration API functions
let ScriptInterpreterEnum = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "python.exe", "python3.exe", "ruby.exe", "perl.exe")
| where ProcessCommandLine has_any (WindowAPIFunctions)
    or (ProcessCommandLine has_any ("Add-Type", "DllImport") and ProcessCommandLine has "user32" and ProcessCommandLine has_any ("window", "Window", "hwnd", "hWnd"))
    or (ProcessCommandLine has "Shell.Application" and ProcessCommandLine has_any ("Windows()", ".Windows "))
| extend DetectionVector = case(
    ProcessCommandLine has_any ("Add-Type", "DllImport") and ProcessCommandLine has "user32", "PowerShell P/Invoke Window API",
    ProcessCommandLine has "Shell.Application", "COM Shell Window Enumeration",
    "Script Window Enumeration API"
);
// Vector 2: Automation tools spawned from unexpected parents (not UI or development environments)
let AutomationToolEnum = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("autoit3.exe", "autohotkey.exe", "ahk2exe.exe", "autoit3_x64.exe")
| where InitiatingProcessFileName !in~ ("explorer.exe", "devenv.exe", "code.exe", "notepad++.exe", "sublime_text.exe", "atom.exe", "cursor.exe")
| extend DetectionVector = "Automation Tool Window Enumeration (Unusual Parent)";
// Vector 3: Known third-party window enumeration utilities
let KnownToolEnum = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("winlister.exe", "wintitles.exe", "windowdetective.exe", "spyxx.exe", "spyxx_amd64.exe", "winspector.exe")
| extend DetectionVector = "Known Window Enumeration Utility";
union ScriptInterpreterEnum, AutomationToolEnum, KnownToolEnum
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionVector
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate AutoHotkey or AutoIt scripts used by IT support staff for desktop automation and helpdesk tooling
Screen recording, remote desktop, and accessibility software (e.g., NVDA, JAWS, TeamViewer) that enumerates windows for UI interaction
Developer tooling such as UI testing frameworks (Selenium WebDriver for Windows, WinAppDriver, TestComplete) that programmatically enumerate windows
Python automation scripts for legitimate RPA (Robotic Process Automation) deployments using pywin32 or pywinauto
PowerShell DSC configurations or inventory scripts that query Shell.Application window state

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval CommandLineLower=lower(CommandLine)
| eval ImageLower=lower(Image)
| eval ParentImageLower=lower(ParentImage)
| eval ScriptWindowAPIEnum=if(
    match(ImageLower, "(powershell|pwsh|wscript|cscript|mshta|python[23]?|ruby|perl)\.exe") AND
    match(CommandLineLower, "(getforegroundwindow|enumwindows|findwindow|getwindowtext|getactivewindow|enumchildwindows|getwindowlong|findwindowex)"),
    1, 0)
| eval PInvokePattern=if(
    match(ImageLower, "(powershell|pwsh)\.exe") AND
    match(CommandLineLower, "(add-type|dllimport)") AND
    match(CommandLineLower, "user32") AND
    match(CommandLineLower, "(window|hwnd)"),
    1, 0)
| eval COMShellEnum=if(
    match(ImageLower, "(powershell|pwsh|wscript|cscript|mshta)\.exe") AND
    match(CommandLineLower, "shell\.application") AND
    match(CommandLineLower, "windows\(\)"),
    1, 0)
| eval AutomationToolEnum=if(
    match(ImageLower, "(autoit3|autohotkey|ahk2exe)(_x64)?\.exe") AND
    NOT match(ParentImageLower, "(explorer|devenv|code|notepad\+\+|sublime_text|atom)\.exe"),
    1, 0)
| eval KnownWinEnumTool=if(
    match(ImageLower, "(winlister|wintitles|windowdetective|spyxx(_amd64)?|winspector)\.exe"),
    1, 0)
| eval TotalScore=ScriptWindowAPIEnum + PInvokePattern + COMShellEnum + AutomationToolEnum + KnownWinEnumTool
| where TotalScore > 0
| eval DetectionVector=case(
    KnownWinEnumTool=1, "Known Window Enumeration Utility",
    AutomationToolEnum=1, "Automation Tool Window Enumeration (Unusual Parent)",
    PInvokePattern=1, "PowerShell P/Invoke Window API",
    COMShellEnum=1, "COM Shell Window Enumeration",
    ScriptWindowAPIEnum=1, "Script Window Enumeration API",
    1=1, "Unknown"
)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionVector, TotalScore
| sort - _time

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate AutoHotkey or AutoIt scripts used by IT support staff for desktop automation and helpdesk tooling
Screen recording, remote desktop, and accessibility software (NVDA, JAWS, TeamViewer) that enumerates windows for UI interaction
Developer tooling such as UI testing frameworks (WinAppDriver, TestComplete, Ranorex) that programmatically enumerate windows
Python RPA automation using pywin32 or pywinauto libraries in approved business automation workflows
PowerShell scripts querying Shell.Application window state for IT inventory or configuration management

Elastic Security (EQL)

eql

process where event.type == "start" and (
  (
    process.name in~ ("powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "python.exe", "python3.exe", "ruby.exe", "perl.exe") and
    (
      process.command_line like~ "*GetForegroundWindow*" or
      process.command_line like~ "*EnumWindows*" or
      process.command_line like~ "*FindWindow*" or
      process.command_line like~ "*GetWindowText*" or
      process.command_line like~ "*GetActiveWindow*" or
      process.command_line like~ "*EnumChildWindows*" or
      process.command_line like~ "*GetWindowLong*" or
      process.command_line like~ "*FindWindowEx*" or
      process.command_line like~ "*GetWindowInfo*" or
      (
        process.command_line like~ "*Add-Type*" and
        process.command_line like~ "*DllImport*" and
        process.command_line like~ "*user32*" and
        (process.command_line like~ "*window*" or process.command_line like~ "*hwnd*")
      ) or
      (
        process.command_line like~ "*Shell.Application*" and
        process.command_line like~ "*Windows()*"
      )
    )
  ) or
  (
    process.name in~ ("autoit3.exe", "autohotkey.exe", "ahk2exe.exe", "autoit3_x64.exe") and
    not process.parent.name in~ ("explorer.exe", "devenv.exe", "code.exe", "notepad++.exe", "sublime_text.exe", "atom.exe", "cursor.exe")
  ) or
  process.name in~ ("winlister.exe", "wintitles.exe", "windowdetective.exe", "spyxx.exe", "spyxx_amd64.exe", "winspector.exe")
)

medium severity medium confidence

Data Sources

Elastic Endpoint Security Elastic SIEM Winlogbeat with Sysmon module

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

Legitimate QA automation frameworks using AutoHotkey or AutoIt scripts for UI regression testing where the launching parent process is a CI/CD build agent or test runner not covered by the parent exclusion list (e.g., jenkins.exe, bamboo-agent.exe)
Windows GUI developers and security researchers using Spy++ (spyxx.exe, spyxx_amd64.exe) included with Visual Studio for window property inspection and message tracing during application debugging sessions
IT administrators or RMM platform agents running PowerShell scripts that use Add-Type with DllImport to call user32.dll for legitimate window management tasks during unattended software installations or accessibility configuration

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  username AS UserName,
  "Image" AS ProcessImage,
  "CommandLine" AS CommandLine,
  "ParentImage" AS ParentImage,
  CASE
    WHEN LOWER("Image") ILIKE '%winlister.exe%'
      OR LOWER("Image") ILIKE '%wintitles.exe%'
      OR LOWER("Image") ILIKE '%windowdetective.exe%'
      OR LOWER("Image") ILIKE '%spyxx%'
      OR LOWER("Image") ILIKE '%winspector.exe%'
      THEN 'Known Window Enumeration Utility'
    WHEN (LOWER("Image") ILIKE '%autoit3.exe%' OR LOWER("Image") ILIKE '%autohotkey.exe%' OR LOWER("Image") ILIKE '%ahk2exe.exe%')
      AND NOT (LOWER("ParentImage") ILIKE '%explorer.exe%' OR LOWER("ParentImage") ILIKE '%devenv.exe%' OR LOWER("ParentImage") ILIKE '%code.exe%')
      THEN 'Automation Tool Window Enumeration (Unusual Parent)'
    WHEN (LOWER("Image") ILIKE '%powershell.exe%' OR LOWER("Image") ILIKE '%pwsh.exe%')
      AND LOWER("CommandLine") ILIKE '%add-type%'
      AND LOWER("CommandLine") ILIKE '%dllimport%'
      AND LOWER("CommandLine") ILIKE '%user32%'
      THEN 'PowerShell P/Invoke Window API'
    WHEN (LOWER("Image") ILIKE '%powershell.exe%' OR LOWER("Image") ILIKE '%wscript.exe%' OR LOWER("Image") ILIKE '%cscript.exe%' OR LOWER("Image") ILIKE '%mshta.exe%')
      AND LOWER("CommandLine") ILIKE '%shell.application%'
      AND LOWER("CommandLine") ILIKE '%windows()%'
      THEN 'COM Shell Window Enumeration'
    ELSE 'Script Window Enumeration API'
  END AS DetectionVector
FROM events
WHERE
  (LOGSOURCETYPENAME(devicetype) ILIKE '%Windows%' OR LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%')
  AND (
    (
      (LOWER("Image") ILIKE '%powershell.exe%' OR LOWER("Image") ILIKE '%pwsh.exe%'
        OR LOWER("Image") ILIKE '%wscript.exe%' OR LOWER("Image") ILIKE '%cscript.exe%'
        OR LOWER("Image") ILIKE '%mshta.exe%' OR LOWER("Image") ILIKE '%python.exe%'
        OR LOWER("Image") ILIKE '%python3.exe%' OR LOWER("Image") ILIKE '%ruby.exe%'
        OR LOWER("Image") ILIKE '%perl.exe%')
      AND (
        LOWER("CommandLine") ILIKE '%getforegroundwindow%' OR
        LOWER("CommandLine") ILIKE '%enumwindows%' OR
        LOWER("CommandLine") ILIKE '%findwindow%' OR
        LOWER("CommandLine") ILIKE '%getwindowtext%' OR
        LOWER("CommandLine") ILIKE '%getactivewindow%' OR
        LOWER("CommandLine") ILIKE '%enumchildwindows%' OR
        LOWER("CommandLine") ILIKE '%getwindowlong%' OR
        LOWER("CommandLine") ILIKE '%findwindowex%' OR
        (
          LOWER("CommandLine") ILIKE '%add-type%' AND
          LOWER("CommandLine") ILIKE '%dllimport%' AND
          LOWER("CommandLine") ILIKE '%user32%' AND
          (LOWER("CommandLine") ILIKE '%window%' OR LOWER("CommandLine") ILIKE '%hwnd%')
        ) OR
        (
          LOWER("CommandLine") ILIKE '%shell.application%' AND
          LOWER("CommandLine") ILIKE '%windows()%'
        )
      )
    ) OR
    (
      (LOWER("Image") ILIKE '%autoit3.exe%' OR LOWER("Image") ILIKE '%autohotkey.exe%'
        OR LOWER("Image") ILIKE '%ahk2exe.exe%' OR LOWER("Image") ILIKE '%autoit3_x64.exe%')
      AND NOT (
        LOWER("ParentImage") ILIKE '%explorer.exe%' OR LOWER("ParentImage") ILIKE '%devenv.exe%'
        OR LOWER("ParentImage") ILIKE '%code.exe%' OR LOWER("ParentImage") ILIKE '%notepad++.exe%'
        OR LOWER("ParentImage") ILIKE '%sublime_text.exe%' OR LOWER("ParentImage") ILIKE '%atom.exe%'
        OR LOWER("ParentImage") ILIKE '%cursor.exe%'
      )
    ) OR
    (
      LOWER("Image") ILIKE '%winlister.exe%' OR LOWER("Image") ILIKE '%wintitles.exe%'
      OR LOWER("Image") ILIKE '%windowdetective.exe%' OR LOWER("Image") ILIKE '%spyxx.exe%'
      OR LOWER("Image") ILIKE '%spyxx_amd64.exe%' OR LOWER("Image") ILIKE '%winspector.exe%'
    )
  )
LAST 24 HOURS
ORDER BY starttime DESC

medium severity medium confidence

Data Sources

IBM QRadar SIEM Microsoft Sysmon via Windows Event Log log source Windows Security Event Log (EventID 4688 with process tracking)

Required Tables

events

False Positives

UI automation scripts using AutoHotkey or AutoIt deployed by QA teams or software test pipelines where the parent process is a build agent, task scheduler, or test runner not present in the parent image exclusion conditions
Security engineers and Windows developers using Spy++ (spyxx.exe or spyxx_amd64.exe) from the Visual Studio toolset for window message tracing and hierarchy inspection during routine GUI development
PowerShell-based deployment automation or endpoint management tools (e.g., custom SCCM scripts, PDQ Deploy actions) that dynamically import user32.dll via Add-Type for window manipulation during silent software installation

Sumo Logic CSE

sql

(_sourceCategory=*Windows* OR _sourceCategory=*sysmon*) EventID=1
| parse "Image: *\n" as Image nodrop
| parse "CommandLine: *\n" as CommandLine nodrop
| parse "ParentImage: *\n" as ParentImage nodrop
| parse "User: *\n" as User nodrop
| toLowerCase(Image) as image_lower
| toLowerCase(CommandLine) as cmdline_lower
| toLowerCase(ParentImage) as parent_lower
| eval ScriptWindowAPI = if(
    (image_lower matches "*powershell.exe*" or image_lower matches "*pwsh.exe*" or
     image_lower matches "*wscript.exe*" or image_lower matches "*cscript.exe*" or
     image_lower matches "*mshta.exe*" or image_lower matches "*python.exe*" or
     image_lower matches "*python3.exe*" or image_lower matches "*ruby.exe*" or
     image_lower matches "*perl.exe*") and
    (cmdline_lower matches "*getforegroundwindow*" or cmdline_lower matches "*enumwindows*" or
     cmdline_lower matches "*findwindow*" or cmdline_lower matches "*getwindowtext*" or
     cmdline_lower matches "*getactivewindow*" or cmdline_lower matches "*enumchildwindows*" or
     cmdline_lower matches "*getwindowlong*" or cmdline_lower matches "*findwindowex*"),
    1, 0)
| eval PInvokePattern = if(
    (image_lower matches "*powershell.exe*" or image_lower matches "*pwsh.exe*") and
    cmdline_lower matches "*add-type*" and cmdline_lower matches "*dllimport*" and
    cmdline_lower matches "*user32*" and
    (cmdline_lower matches "*window*" or cmdline_lower matches "*hwnd*"),
    1, 0)
| eval COMShellEnum = if(
    (image_lower matches "*powershell.exe*" or image_lower matches "*wscript.exe*" or
     image_lower matches "*cscript.exe*" or image_lower matches "*mshta.exe*") and
    cmdline_lower matches "*shell.application*" and cmdline_lower matches "*windows()*",
    1, 0)
| eval AutomationToolEnum = if(
    (image_lower matches "*autoit3.exe*" or image_lower matches "*autohotkey.exe*" or
     image_lower matches "*ahk2exe.exe*" or image_lower matches "*autoit3_x64.exe*") and
    not (parent_lower matches "*explorer.exe*" or parent_lower matches "*devenv.exe*" or
         parent_lower matches "*code.exe*" or parent_lower matches "*sublime_text.exe*" or
         parent_lower matches "*atom.exe*" or parent_lower matches "*cursor.exe*"),
    1, 0)
| eval KnownWinEnumTool = if(
    image_lower matches "*winlister.exe*" or image_lower matches "*wintitles.exe*" or
    image_lower matches "*windowdetective.exe*" or image_lower matches "*spyxx.exe*" or
    image_lower matches "*spyxx_amd64.exe*" or image_lower matches "*winspector.exe*",
    1, 0)
| eval TotalScore = ScriptWindowAPI + PInvokePattern + COMShellEnum + AutomationToolEnum + KnownWinEnumTool
| where TotalScore > 0
| eval DetectionVector = if(KnownWinEnumTool=1, "Known Window Enumeration Utility",
    if(AutomationToolEnum=1, "Automation Tool Window Enumeration (Unusual Parent)",
    if(PInvokePattern=1, "PowerShell P/Invoke Window API",
    if(COMShellEnum=1, "COM Shell Window Enumeration",
    "Script Window Enumeration API"))))
| table _messageTime, _sourceHost, User, Image, CommandLine, ParentImage, DetectionVector, TotalScore
| sort by _messageTime desc

medium severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Sysmon via Sumo Logic Installed Collector Windows Event Logs via Sumo Logic Collector

Required Tables

_sourceCategory=*Windows* _sourceCategory=*sysmon*

False Positives

Desktop automation scripts (AutoHotkey, AutoIt) used by QA engineers or business process automation where the launching parent is a scheduler, RPA platform, or CI agent not in the parent exclusion list
Windows application developers using Spy++ (spyxx.exe) or Window Detective for GUI debugging and window hierarchy inspection — these are legitimate development tools that will always trigger the known tool vector
PowerShell IT automation or endpoint management scripts that programmatically load user32.dll via Add-Type for window lifecycle management during mass software deployments or configuration baselines

Google Chronicle / SecOps

yaral

rule t1010_application_window_discovery {
  meta:
    author = "Detection Engineering"
    description = "Detects T1010 Application Window Discovery via script interpreter window API calls, automation tools with unusual parents, or known window enumeration utilities"
    severity = "MEDIUM"
    priority = "MEDIUM"
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1010"
    platform = "Windows"
    reference = "https://attack.mitre.org/techniques/T1010/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      (
        re.regex($e.target.process.file.full_path,
          `(?i)(powershell|pwsh|wscript|cscript|mshta|python[23]?|ruby|perl)\.exe$`) and
        (
          re.regex($e.target.process.command_line,
            `(?i)(getforegroundwindow|enumwindows|findwindow|getwindowtext|getactivewindow|enumchildwindows|getwindowlong|getwindowrect|findwindowex|getwindowinfo)`) or
          (
            re.regex($e.target.process.command_line, `(?i)(add-type|dllimport)`) and
            re.regex($e.target.process.command_line, `(?i)user32`) and
            re.regex($e.target.process.command_line, `(?i)(window|hwnd)`)
          ) or
          (
            re.regex($e.target.process.command_line, `(?i)shell\.application`) and
            re.regex($e.target.process.command_line, `(?i)\.windows\(\)`)
          )
        )
      ) or
      (
        re.regex($e.target.process.file.full_path,
          `(?i)(autoit3|autohotkey|ahk2exe)(_x64)?\.exe$`) and
        not re.regex($e.principal.process.file.full_path,
          `(?i)(explorer|devenv|code|notepad\+\+|sublime_text|atom|cursor)\.exe$`)
      ) or
      re.regex($e.target.process.file.full_path,
        `(?i)(winlister|wintitles|windowdetective|spyxx(_amd64)?|winspector)\.exe$`)
    )

  condition:
    $e
}

medium severity medium confidence

Data Sources

Google Chronicle SIEM Chronicle Unified Data Model (UDM) Windows endpoint telemetry via Chronicle Forwarder or partner ingestion

Required Tables

UDM PROCESS_LAUNCH events

False Positives

Desktop automation workflows using AutoHotkey or AutoIt for legitimate UI scripting where the parent process is a scheduled task host, RPA engine, or custom launcher not matched by the principal process exclusion regex
Security engineers and Windows GUI developers executing Spy++ (spyxx.exe, spyxx_amd64.exe) for window message spy and control hierarchy inspection during normal Visual Studio debugging workflows
PowerShell-based configuration management or deployment scripts using Add-Type with DllImport targeting user32.dll for programmatic window handling during unattended application setup or accessibility provisioning

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(powershell|pwsh|wscript|cscript|mshta|python[23]?|ruby|perl|autoit3|autohotkey|ahk2exe|autoit3_x64|winlister|wintitles|windowdetective|spyxx|spyxx_amd64|winspector)\.exe/
| ScriptWindowAPI := if(
    ImageFileName = /(?i)(powershell|pwsh|wscript|cscript|mshta|python[23]?|ruby|perl)\.exe/ and
    CommandLine = /(?i)(getforegroundwindow|enumwindows|findwindow|getwindowtext|getactivewindow|enumchildwindows|getwindowlong|findwindowex|getwindowinfo)/,
    then=1, else=0)
| PInvokePattern := if(
    ImageFileName = /(?i)(powershell|pwsh)\.exe/ and
    CommandLine = /(?i)(add-type|dllimport)/ and
    CommandLine = /(?i)user32/ and
    CommandLine = /(?i)(window|hwnd)/,
    then=1, else=0)
| COMShellEnum := if(
    ImageFileName = /(?i)(powershell|pwsh|wscript|cscript|mshta)\.exe/ and
    CommandLine = /(?i)shell\.application/ and
    CommandLine = /(?i)windows\(\)/,
    then=1, else=0)
| AutomationToolEnum := if(
    ImageFileName = /(?i)(autoit3|autohotkey|ahk2exe)(_x64)?\.exe/ and
    not ParentBaseFileName = /(?i)(explorer|devenv|code|notepad\+\+|sublime_text|atom|cursor)\.exe/,
    then=1, else=0)
| KnownWinEnumTool := if(
    ImageFileName = /(?i)(winlister|wintitles|windowdetective|spyxx(_amd64)?|winspector)\.exe/,
    then=1, else=0)
| TotalScore := ScriptWindowAPI + PInvokePattern + COMShellEnum + AutomationToolEnum + KnownWinEnumTool
| TotalScore > 0
| DetectionVector := case {
    KnownWinEnumTool = 1 => "Known Window Enumeration Utility" ;
    AutomationToolEnum = 1 => "Automation Tool Window Enumeration (Unusual Parent)" ;
    PInvokePattern = 1 => "PowerShell P/Invoke Window API" ;
    COMShellEnum = 1 => "COM Shell Window Enumeration" ;
    ScriptWindowAPI = 1 => "Script Window Enumeration API" ;
    * => "Unknown"
  }
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionVector, TotalScore])
| sort(field=timestamp, order=desc)

medium severity high confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike LogScale (formerly Humio) Falcon ProcessRollup2 event stream

Required Tables

ProcessRollup2

False Positives

Legitimate desktop automation scripts (AutoHotkey, AutoIt) used for UI test automation or business process automation where the parent process is a non-standard launcher such as a task scheduler wrapper, RPA agent, or custom script runner not in the ParentBaseFileName exclusion pattern
Windows GUI application developers and reverse engineers running Spy++ or Window Detective for window inspection and message tracing — particularly common on developer workstations where these tools are installed as part of Visual Studio
PowerShell scripts from IT management platforms or deployment tools that programmatically import user32.dll using Add-Type and DllImport for window management operations during automated provisioning, software updates, or accessibility configuration tasks

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1010 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Application Window Discovery

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Discovery

Popular Detections