Which SIEM platforms have a T1010 detection rule?

df00tech provides T1010 (Application Window Discovery) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Application Window Discovery (T1010)?

Detecting Application Window Discovery requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1010 detection?

The T1010 detection is rated medium severity with medium confidence.

What are common false positives for T1010?

Common false positives for T1010 include: Legitimate AutoHotkey or AutoIt scripts used by IT support staff for desktop automation and helpdesk tooling; Screen recording, remote desktop, and accessibility software (e.g., NVDA, JAWS, TeamViewer) that enumerates windows for UI interaction; Developer tooling such as UI testing frameworks (Selenium WebDriver for Windows, WinAppDriver, TestComplete) that programmatically enumerate windows.

T1010

Application Window Discovery

Discovery Last updated: April 13, 2026

Adversaries may attempt to get a listing of open application windows. Window listings convey information about how the system is used and help adversaries identify potential data sources and security tooling to evade. Malware families including Attor, njRAT, DarkWatchman, Grandoreiro, InvisiMole, and Lazarus Group tooling use this technique to obtain window titles and correlate them with keylogger output, identify running security products by window name, locate cryptocurrency wallets, and determine sandbox environments. Adversaries typically implement this via native Windows API functions (EnumWindows, GetForegroundWindow, FindWindow, GetWindowText from user32.dll), scripting languages using P/Invoke or COM automation, or automation tools such as AutoHotkey and AutoIt. On Linux and macOS, adversaries may use xdotool, wmctrl, or Quartz/Cocoa APIs to achieve equivalent capability.

What is T1010 Application Window Discovery?

Application Window Discovery (T1010) maps to the Discovery tactic — the adversary is trying to figure out your environment in MITRE ATT&CK.

This page provides production-ready detection logic for Application Window Discovery, covering the data sources and telemetry it touches: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint. The queries below are rated medium severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Discovery
Technique: T1010 Application Window Discovery
Canonical reference: https://attack.mitre.org/techniques/T1010/

Microsoft Sentinel / Defender

kusto

let WindowAPIFunctions = dynamic([
    "GetForegroundWindow", "EnumWindows", "FindWindow", "GetWindowText",
    "GetActiveWindow", "EnumChildWindows", "GetWindowLong", "GetWindowRect",
    "FindWindowEx", "GetWindowInfo"
]);
// Vector 1: Script interpreters referencing window enumeration API functions
let ScriptInterpreterEnum = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "python.exe", "python3.exe", "ruby.exe", "perl.exe")
| where ProcessCommandLine has_any (WindowAPIFunctions)
    or (ProcessCommandLine has_any ("Add-Type", "DllImport") and ProcessCommandLine has "user32" and ProcessCommandLine has_any ("window", "Window", "hwnd", "hWnd"))
    or (ProcessCommandLine has "Shell.Application" and ProcessCommandLine has_any ("Windows()", ".Windows "))
| extend DetectionVector = case(
    ProcessCommandLine has_any ("Add-Type", "DllImport") and ProcessCommandLine has "user32", "PowerShell P/Invoke Window API",
    ProcessCommandLine has "Shell.Application", "COM Shell Window Enumeration",
    "Script Window Enumeration API"
);
// Vector 2: Automation tools spawned from unexpected parents (not UI or development environments)
let AutomationToolEnum = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("autoit3.exe", "autohotkey.exe", "ahk2exe.exe", "autoit3_x64.exe")
| where InitiatingProcessFileName !in~ ("explorer.exe", "devenv.exe", "code.exe", "notepad++.exe", "sublime_text.exe", "atom.exe", "cursor.exe")
| extend DetectionVector = "Automation Tool Window Enumeration (Unusual Parent)";
// Vector 3: Known third-party window enumeration utilities
let KnownToolEnum = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("winlister.exe", "wintitles.exe", "windowdetective.exe", "spyxx.exe", "spyxx_amd64.exe", "winspector.exe")
| extend DetectionVector = "Known Window Enumeration Utility";
union ScriptInterpreterEnum, AutomationToolEnum, KnownToolEnum
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionVector
| sort by Timestamp desc

Detects application window discovery activity via three vectors: (1) script interpreters (PowerShell, WScript, Python) referencing Windows API functions such as EnumWindows, GetForegroundWindow, GetWindowText, or using PowerShell P/Invoke patterns loading user32.dll window APIs; (2) automation tools (AutoHotkey, AutoIt) spawned from non-development parent processes, which are commonly leveraged by malware families like Grandoreiro for window-based security tool detection; (3) known third-party window enumeration utilities (WinLister, Window Detective, Spy++). Detection confidence is medium — script-based patterns are reliably visible in command-line telemetry, but native compiled malware performing in-process API calls will not be caught without image load or process access telemetry.

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate AutoHotkey or AutoIt scripts used by IT support staff for desktop automation and helpdesk tooling
Screen recording, remote desktop, and accessibility software (e.g., NVDA, JAWS, TeamViewer) that enumerates windows for UI interaction
Developer tooling such as UI testing frameworks (Selenium WebDriver for Windows, WinAppDriver, TestComplete) that programmatically enumerate windows
Python automation scripts for legitimate RPA (Robotic Process Automation) deployments using pywin32 or pywinauto
PowerShell DSC configurations or inventory scripts that query Shell.Application window state

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval CommandLineLower=lower(CommandLine)
| eval ImageLower=lower(Image)
| eval ParentImageLower=lower(ParentImage)
| eval ScriptWindowAPIEnum=if(
    match(ImageLower, "(powershell|pwsh|wscript|cscript|mshta|python[23]?|ruby|perl)\.exe") AND
    match(CommandLineLower, "(getforegroundwindow|enumwindows|findwindow|getwindowtext|getactivewindow|enumchildwindows|getwindowlong|findwindowex)"),
    1, 0)
| eval PInvokePattern=if(
    match(ImageLower, "(powershell|pwsh)\.exe") AND
    match(CommandLineLower, "(add-type|dllimport)") AND
    match(CommandLineLower, "user32") AND
    match(CommandLineLower, "(window|hwnd)"),
    1, 0)
| eval COMShellEnum=if(
    match(ImageLower, "(powershell|pwsh|wscript|cscript|mshta)\.exe") AND
    match(CommandLineLower, "shell\.application") AND
    match(CommandLineLower, "windows\(\)"),
    1, 0)
| eval AutomationToolEnum=if(
    match(ImageLower, "(autoit3|autohotkey|ahk2exe)(_x64)?\.exe") AND
    NOT match(ParentImageLower, "(explorer|devenv|code|notepad\+\+|sublime_text|atom)\.exe"),
    1, 0)
| eval KnownWinEnumTool=if(
    match(ImageLower, "(winlister|wintitles|windowdetective|spyxx(_amd64)?|winspector)\.exe"),
    1, 0)
| eval TotalScore=ScriptWindowAPIEnum + PInvokePattern + COMShellEnum + AutomationToolEnum + KnownWinEnumTool
| where TotalScore > 0
| eval DetectionVector=case(
    KnownWinEnumTool=1, "Known Window Enumeration Utility",
    AutomationToolEnum=1, "Automation Tool Window Enumeration (Unusual Parent)",
    PInvokePattern=1, "PowerShell P/Invoke Window API",
    COMShellEnum=1, "COM Shell Window Enumeration",
    ScriptWindowAPIEnum=1, "Script Window Enumeration API",
    1=1, "Unknown"
)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionVector, TotalScore
| sort - _time

Detects application window discovery via Sysmon Event ID 1 (Process Creation). Evaluates command lines from scripting engines and automation tools against known window enumeration patterns including Win32 API function names (EnumWindows, GetForegroundWindow, GetWindowText), PowerShell P/Invoke signatures loading user32.dll for window operations, COM Shell.Application window enumeration, and AutoHotkey/AutoIt spawned from non-development parent processes. A composite score is computed to prioritize alerts with multiple corroborating indicators.

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate AutoHotkey or AutoIt scripts used by IT support staff for desktop automation and helpdesk tooling
Screen recording, remote desktop, and accessibility software (NVDA, JAWS, TeamViewer) that enumerates windows for UI interaction
Developer tooling such as UI testing frameworks (WinAppDriver, TestComplete, Ranorex) that programmatically enumerate windows
Python RPA automation using pywin32 or pywinauto libraries in approved business automation workflows
PowerShell scripts querying Shell.Application window state for IT inventory or configuration management

Elastic Security (EQL)

eql

process where event.type == "start" and (
  (
    process.name in~ ("powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "python.exe", "python3.exe", "ruby.exe", "perl.exe") and
    (
      process.command_line like~ "*GetForegroundWindow*" or
      process.command_line like~ "*EnumWindows*" or
      process.command_line like~ "*FindWindow*" or
      process.command_line like~ "*GetWindowText*" or
      process.command_line like~ "*GetActiveWindow*" or
      process.command_line like~ "*EnumChildWindows*" or
      process.command_line like~ "*GetWindowLong*" or
      process.command_line like~ "*FindWindowEx*" or
      process.command_line like~ "*GetWindowInfo*" or
      (
        process.command_line like~ "*Add-Type*" and
        process.command_line like~ "*DllImport*" and
        process.command_line like~ "*user32*" and
        (process.command_line like~ "*window*" or process.command_line like~ "*hwnd*")
      ) or
      (
        process.command_line like~ "*Shell.Application*" and
        process.command_line like~ "*Windows()*"
      )
    )
  ) or
  (
    process.name in~ ("autoit3.exe", "autohotkey.exe", "ahk2exe.exe", "autoit3_x64.exe") and
    not process.parent.name in~ ("explorer.exe", "devenv.exe", "code.exe", "notepad++.exe", "sublime_text.exe", "atom.exe", "cursor.exe")
  ) or
  process.name in~ ("winlister.exe", "wintitles.exe", "windowdetective.exe", "spyxx.exe", "spyxx_amd64.exe", "winspector.exe")
)

Detects T1010 Application Window Discovery via three vectors: (1) script interpreters (PowerShell, Python, WScript, etc.) invoking Windows window enumeration API names in command-line arguments or using P/Invoke patterns to load user32.dll, (2) automation tools (AutoHotkey, AutoIt) launched from non-IDE and non-desktop parent processes suggesting malware-driven execution, and (3) execution of known third-party window inspection utilities used by adversaries to enumerate running application windows.

medium severity medium confidence

Data Sources

Elastic Endpoint Security Elastic SIEM Winlogbeat with Sysmon module

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

Legitimate QA automation frameworks using AutoHotkey or AutoIt scripts for UI regression testing where the launching parent process is a CI/CD build agent or test runner not covered by the parent exclusion list (e.g., jenkins.exe, bamboo-agent.exe)
Windows GUI developers and security researchers using Spy++ (spyxx.exe, spyxx_amd64.exe) included with Visual Studio for window property inspection and message tracing during application debugging sessions
IT administrators or RMM platform agents running PowerShell scripts that use Add-Type with DllImport to call user32.dll for legitimate window management tasks during unattended software installations or accessibility configuration

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  username AS UserName,
  "Image" AS ProcessImage,
  "CommandLine" AS CommandLine,
  "ParentImage" AS ParentImage,
  CASE
    WHEN LOWER("Image") ILIKE '%winlister.exe%'
      OR LOWER("Image") ILIKE '%wintitles.exe%'
      OR LOWER("Image") ILIKE '%windowdetective.exe%'
      OR LOWER("Image") ILIKE '%spyxx%'
      OR LOWER("Image") ILIKE '%winspector.exe%'
      THEN 'Known Window Enumeration Utility'
    WHEN (LOWER("Image") ILIKE '%autoit3.exe%' OR LOWER("Image") ILIKE '%autohotkey.exe%' OR LOWER("Image") ILIKE '%ahk2exe.exe%')
      AND NOT (LOWER("ParentImage") ILIKE '%explorer.exe%' OR LOWER("ParentImage") ILIKE '%devenv.exe%' OR LOWER("ParentImage") ILIKE '%code.exe%')
      THEN 'Automation Tool Window Enumeration (Unusual Parent)'
    WHEN (LOWER("Image") ILIKE '%powershell.exe%' OR LOWER("Image") ILIKE '%pwsh.exe%')
      AND LOWER("CommandLine") ILIKE '%add-type%'
      AND LOWER("CommandLine") ILIKE '%dllimport%'
      AND LOWER("CommandLine") ILIKE '%user32%'
      THEN 'PowerShell P/Invoke Window API'
    WHEN (LOWER("Image") ILIKE '%powershell.exe%' OR LOWER("Image") ILIKE '%wscript.exe%' OR LOWER("Image") ILIKE '%cscript.exe%' OR LOWER("Image") ILIKE '%mshta.exe%')
      AND LOWER("CommandLine") ILIKE '%shell.application%'
      AND LOWER("CommandLine") ILIKE '%windows()%'
      THEN 'COM Shell Window Enumeration'
    ELSE 'Script Window Enumeration API'
  END AS DetectionVector
FROM events
WHERE
  (LOGSOURCETYPENAME(devicetype) ILIKE '%Windows%' OR LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%')
  AND (
    (
      (LOWER("Image") ILIKE '%powershell.exe%' OR LOWER("Image") ILIKE '%pwsh.exe%'
        OR LOWER("Image") ILIKE '%wscript.exe%' OR LOWER("Image") ILIKE '%cscript.exe%'
        OR LOWER("Image") ILIKE '%mshta.exe%' OR LOWER("Image") ILIKE '%python.exe%'
        OR LOWER("Image") ILIKE '%python3.exe%' OR LOWER("Image") ILIKE '%ruby.exe%'
        OR LOWER("Image") ILIKE '%perl.exe%')
      AND (
        LOWER("CommandLine") ILIKE '%getforegroundwindow%' OR
        LOWER("CommandLine") ILIKE '%enumwindows%' OR
        LOWER("CommandLine") ILIKE '%findwindow%' OR
        LOWER("CommandLine") ILIKE '%getwindowtext%' OR
        LOWER("CommandLine") ILIKE '%getactivewindow%' OR
        LOWER("CommandLine") ILIKE '%enumchildwindows%' OR
        LOWER("CommandLine") ILIKE '%getwindowlong%' OR
        LOWER("CommandLine") ILIKE '%findwindowex%' OR
        (
          LOWER("CommandLine") ILIKE '%add-type%' AND
          LOWER("CommandLine") ILIKE '%dllimport%' AND
          LOWER("CommandLine") ILIKE '%user32%' AND
          (LOWER("CommandLine") ILIKE '%window%' OR LOWER("CommandLine") ILIKE '%hwnd%')
        ) OR
        (
          LOWER("CommandLine") ILIKE '%shell.application%' AND
          LOWER("CommandLine") ILIKE '%windows()%'
        )
      )
    ) OR
    (
      (LOWER("Image") ILIKE '%autoit3.exe%' OR LOWER("Image") ILIKE '%autohotkey.exe%'
        OR LOWER("Image") ILIKE '%ahk2exe.exe%' OR LOWER("Image") ILIKE '%autoit3_x64.exe%')
      AND NOT (
        LOWER("ParentImage") ILIKE '%explorer.exe%' OR LOWER("ParentImage") ILIKE '%devenv.exe%'
        OR LOWER("ParentImage") ILIKE '%code.exe%' OR LOWER("ParentImage") ILIKE '%notepad++.exe%'
        OR LOWER("ParentImage") ILIKE '%sublime_text.exe%' OR LOWER("ParentImage") ILIKE '%atom.exe%'
        OR LOWER("ParentImage") ILIKE '%cursor.exe%'
      )
    ) OR
    (
      LOWER("Image") ILIKE '%winlister.exe%' OR LOWER("Image") ILIKE '%wintitles.exe%'
      OR LOWER("Image") ILIKE '%windowdetective.exe%' OR LOWER("Image") ILIKE '%spyxx.exe%'
      OR LOWER("Image") ILIKE '%spyxx_amd64.exe%' OR LOWER("Image") ILIKE '%winspector.exe%'
    )
  )
LAST 24 HOURS
ORDER BY starttime DESC

Detects T1010 Application Window Discovery in IBM QRadar using Windows Sysmon or Security event data. Queries process creation events for script interpreters referencing window enumeration API names, P/Invoke user32.dll import patterns, COM Shell.Application window enumeration, automation tools with unexpected parent processes, and known window listing utilities. Requires Custom Event Properties (CEPs) for Image, CommandLine, and ParentImage to be configured for the Sysmon log source type in QRadar.

medium severity medium confidence

Data Sources

IBM QRadar SIEM Microsoft Sysmon via Windows Event Log log source Windows Security Event Log (EventID 4688 with process tracking)

Required Tables

events

False Positives

UI automation scripts using AutoHotkey or AutoIt deployed by QA teams or software test pipelines where the parent process is a build agent, task scheduler, or test runner not present in the parent image exclusion conditions
Security engineers and Windows developers using Spy++ (spyxx.exe or spyxx_amd64.exe) from the Visual Studio toolset for window message tracing and hierarchy inspection during routine GUI development
PowerShell-based deployment automation or endpoint management tools (e.g., custom SCCM scripts, PDQ Deploy actions) that dynamically import user32.dll via Add-Type for window manipulation during silent software installation

Sumo Logic CSE

sql

(_sourceCategory=*Windows* OR _sourceCategory=*sysmon*) EventID=1
| parse "Image: *\n" as Image nodrop
| parse "CommandLine: *\n" as CommandLine nodrop
| parse "ParentImage: *\n" as ParentImage nodrop
| parse "User: *\n" as User nodrop
| toLowerCase(Image) as image_lower
| toLowerCase(CommandLine) as cmdline_lower
| toLowerCase(ParentImage) as parent_lower
| eval ScriptWindowAPI = if(
    (image_lower matches "*powershell.exe*" or image_lower matches "*pwsh.exe*" or
     image_lower matches "*wscript.exe*" or image_lower matches "*cscript.exe*" or
     image_lower matches "*mshta.exe*" or image_lower matches "*python.exe*" or
     image_lower matches "*python3.exe*" or image_lower matches "*ruby.exe*" or
     image_lower matches "*perl.exe*") and
    (cmdline_lower matches "*getforegroundwindow*" or cmdline_lower matches "*enumwindows*" or
     cmdline_lower matches "*findwindow*" or cmdline_lower matches "*getwindowtext*" or
     cmdline_lower matches "*getactivewindow*" or cmdline_lower matches "*enumchildwindows*" or
     cmdline_lower matches "*getwindowlong*" or cmdline_lower matches "*findwindowex*"),
    1, 0)
| eval PInvokePattern = if(
    (image_lower matches "*powershell.exe*" or image_lower matches "*pwsh.exe*") and
    cmdline_lower matches "*add-type*" and cmdline_lower matches "*dllimport*" and
    cmdline_lower matches "*user32*" and
    (cmdline_lower matches "*window*" or cmdline_lower matches "*hwnd*"),
    1, 0)
| eval COMShellEnum = if(
    (image_lower matches "*powershell.exe*" or image_lower matches "*wscript.exe*" or
     image_lower matches "*cscript.exe*" or image_lower matches "*mshta.exe*") and
    cmdline_lower matches "*shell.application*" and cmdline_lower matches "*windows()*",
    1, 0)
| eval AutomationToolEnum = if(
    (image_lower matches "*autoit3.exe*" or image_lower matches "*autohotkey.exe*" or
     image_lower matches "*ahk2exe.exe*" or image_lower matches "*autoit3_x64.exe*") and
    not (parent_lower matches "*explorer.exe*" or parent_lower matches "*devenv.exe*" or
         parent_lower matches "*code.exe*" or parent_lower matches "*sublime_text.exe*" or
         parent_lower matches "*atom.exe*" or parent_lower matches "*cursor.exe*"),
    1, 0)
| eval KnownWinEnumTool = if(
    image_lower matches "*winlister.exe*" or image_lower matches "*wintitles.exe*" or
    image_lower matches "*windowdetective.exe*" or image_lower matches "*spyxx.exe*" or
    image_lower matches "*spyxx_amd64.exe*" or image_lower matches "*winspector.exe*",
    1, 0)
| eval TotalScore = ScriptWindowAPI + PInvokePattern + COMShellEnum + AutomationToolEnum + KnownWinEnumTool
| where TotalScore > 0
| eval DetectionVector = if(KnownWinEnumTool=1, "Known Window Enumeration Utility",
    if(AutomationToolEnum=1, "Automation Tool Window Enumeration (Unusual Parent)",
    if(PInvokePattern=1, "PowerShell P/Invoke Window API",
    if(COMShellEnum=1, "COM Shell Window Enumeration",
    "Script Window Enumeration API"))))
| table _messageTime, _sourceHost, User, Image, CommandLine, ParentImage, DetectionVector, TotalScore
| sort by _messageTime desc

Detects T1010 Application Window Discovery in Sumo Logic using Sysmon EventID 1 (Process Creation) records. Parses Sysmon message fields inline and scores each event across five detection vectors: script interpreter window API calls, PowerShell P/Invoke user32.dll import patterns, COM Shell.Application window enumeration, automation tools launched from unusual parent processes, and known third-party window enumeration utilities. Events with a TotalScore greater than zero are surfaced with a categorized DetectionVector label.

medium severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Sysmon via Sumo Logic Installed Collector Windows Event Logs via Sumo Logic Collector

Required Tables

_sourceCategory=*Windows* _sourceCategory=*sysmon*

False Positives

Desktop automation scripts (AutoHotkey, AutoIt) used by QA engineers or business process automation where the launching parent is a scheduler, RPA platform, or CI agent not in the parent exclusion list
Windows application developers using Spy++ (spyxx.exe) or Window Detective for GUI debugging and window hierarchy inspection — these are legitimate development tools that will always trigger the known tool vector
PowerShell IT automation or endpoint management scripts that programmatically load user32.dll via Add-Type for window lifecycle management during mass software deployments or configuration baselines

Google Chronicle / SecOps

yaral

rule t1010_application_window_discovery {
  meta:
    author = "Detection Engineering"
    description = "Detects T1010 Application Window Discovery via script interpreter window API calls, automation tools with unusual parents, or known window enumeration utilities"
    severity = "MEDIUM"
    priority = "MEDIUM"
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1010"
    platform = "Windows"
    reference = "https://attack.mitre.org/techniques/T1010/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      (
        re.regex($e.target.process.file.full_path,
          `(?i)(powershell|pwsh|wscript|cscript|mshta|python[23]?|ruby|perl)\.exe$`) and
        (
          re.regex($e.target.process.command_line,
            `(?i)(getforegroundwindow|enumwindows|findwindow|getwindowtext|getactivewindow|enumchildwindows|getwindowlong|getwindowrect|findwindowex|getwindowinfo)`) or
          (
            re.regex($e.target.process.command_line, `(?i)(add-type|dllimport)`) and
            re.regex($e.target.process.command_line, `(?i)user32`) and
            re.regex($e.target.process.command_line, `(?i)(window|hwnd)`)
          ) or
          (
            re.regex($e.target.process.command_line, `(?i)shell\.application`) and
            re.regex($e.target.process.command_line, `(?i)\.windows\(\)`)
          )
        )
      ) or
      (
        re.regex($e.target.process.file.full_path,
          `(?i)(autoit3|autohotkey|ahk2exe)(_x64)?\.exe$`) and
        not re.regex($e.principal.process.file.full_path,
          `(?i)(explorer|devenv|code|notepad\+\+|sublime_text|atom|cursor)\.exe$`)
      ) or
      re.regex($e.target.process.file.full_path,
        `(?i)(winlister|wintitles|windowdetective|spyxx(_amd64)?|winspector)\.exe$`)
    )

  condition:
    $e
}

Chronicle YARA-L 2.0 rule detecting T1010 Application Window Discovery using UDM PROCESS_LAUNCH events. Evaluates three detection vectors using UDM principal/target process model: (1) script interpreters (PowerShell, Python, WScript, etc.) with command lines referencing window enumeration API names or containing P/Invoke user32.dll loading patterns, (2) automation tools (AutoHotkey, AutoIt) where the initiating principal process is not a recognized development or desktop environment, and (3) known third-party window listing utilities historically abused by malware families including njRAT and DarkWatchman.

medium severity medium confidence

Data Sources

Google Chronicle SIEM Chronicle Unified Data Model (UDM) Windows endpoint telemetry via Chronicle Forwarder or partner ingestion

Required Tables

UDM PROCESS_LAUNCH events

False Positives

Desktop automation workflows using AutoHotkey or AutoIt for legitimate UI scripting where the parent process is a scheduled task host, RPA engine, or custom launcher not matched by the principal process exclusion regex
Security engineers and Windows GUI developers executing Spy++ (spyxx.exe, spyxx_amd64.exe) for window message spy and control hierarchy inspection during normal Visual Studio debugging workflows
PowerShell-based configuration management or deployment scripts using Add-Type with DllImport targeting user32.dll for programmatic window handling during unattended application setup or accessibility provisioning

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(powershell|pwsh|wscript|cscript|mshta|python[23]?|ruby|perl|autoit3|autohotkey|ahk2exe|autoit3_x64|winlister|wintitles|windowdetective|spyxx|spyxx_amd64|winspector)\.exe/
| ScriptWindowAPI := if(
    ImageFileName = /(?i)(powershell|pwsh|wscript|cscript|mshta|python[23]?|ruby|perl)\.exe/ and
    CommandLine = /(?i)(getforegroundwindow|enumwindows|findwindow|getwindowtext|getactivewindow|enumchildwindows|getwindowlong|findwindowex|getwindowinfo)/,
    then=1, else=0)
| PInvokePattern := if(
    ImageFileName = /(?i)(powershell|pwsh)\.exe/ and
    CommandLine = /(?i)(add-type|dllimport)/ and
    CommandLine = /(?i)user32/ and
    CommandLine = /(?i)(window|hwnd)/,
    then=1, else=0)
| COMShellEnum := if(
    ImageFileName = /(?i)(powershell|pwsh|wscript|cscript|mshta)\.exe/ and
    CommandLine = /(?i)shell\.application/ and
    CommandLine = /(?i)windows\(\)/,
    then=1, else=0)
| AutomationToolEnum := if(
    ImageFileName = /(?i)(autoit3|autohotkey|ahk2exe)(_x64)?\.exe/ and
    not ParentBaseFileName = /(?i)(explorer|devenv|code|notepad\+\+|sublime_text|atom|cursor)\.exe/,
    then=1, else=0)
| KnownWinEnumTool := if(
    ImageFileName = /(?i)(winlister|wintitles|windowdetective|spyxx(_amd64)?|winspector)\.exe/,
    then=1, else=0)
| TotalScore := ScriptWindowAPI + PInvokePattern + COMShellEnum + AutomationToolEnum + KnownWinEnumTool
| TotalScore > 0
| DetectionVector := case {
    KnownWinEnumTool = 1 => "Known Window Enumeration Utility" ;
    AutomationToolEnum = 1 => "Automation Tool Window Enumeration (Unusual Parent)" ;
    PInvokePattern = 1 => "PowerShell P/Invoke Window API" ;
    COMShellEnum = 1 => "COM Shell Window Enumeration" ;
    ScriptWindowAPI = 1 => "Script Window Enumeration API" ;
    * => "Unknown"
  }
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionVector, TotalScore])
| sort(field=timestamp, order=desc)

CrowdStrike Falcon LogScale detection for T1010 Application Window Discovery using ProcessRollup2 telemetry. Pre-filters to relevant process image names then scores each event across five detection vectors: script interpreter window API name references in command lines, PowerShell P/Invoke user32.dll import patterns, COM Shell.Application window enumeration, automation tool execution from non-standard parent processes, and known window enumeration utilities. Leverages Falcon's comprehensive process lineage and full command-line capture for high-fidelity detection.

medium severity high confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike LogScale (formerly Humio) Falcon ProcessRollup2 event stream

Required Tables

ProcessRollup2

False Positives

Legitimate desktop automation scripts (AutoHotkey, AutoIt) used for UI test automation or business process automation where the parent process is a non-standard launcher such as a task scheduler wrapper, RPA agent, or custom script runner not in the ParentBaseFileName exclusion pattern
Windows GUI application developers and reverse engineers running Spy++ or Window Detective for window inspection and message tracing — particularly common on developer workstations where these tools are installed as part of Visual Studio
PowerShell scripts from IT management platforms or deployment tools that programmatically import user32.dll using Add-Type and DllImport for window management operations during automated provisioning, software updates, or accessibility configuration tasks

Sigma rule & cross-platform mapping

The detection logic for Application Window Discovery (T1010) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1010 Sigma rules on detection.fyi

Platform-specific guides for T1010

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-13 Research depth: deep

References (8)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1PowerShell P/Invoke Window Enumeration via GetForegroundWindow
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Add-Type', 'DllImport', 'user32.dll', 'GetForegroundWindow', and 'GetWindowText'. PowerShell ScriptBlock Log Event ID 4104 in Microsoft-Windows-PowerShell/Operational will capture the full deobfuscated Add-Type code block including the user32.dll import declarations.
Test 2PowerShell COM Shell.Application Window Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Shell.Application' and 'Windows()'. PowerShell ScriptBlock Log Event ID 4104 with the full COM enumeration code. No network connection events expected as this is a local enumeration call.
Test 3PowerShell Full Window Enumeration via EnumWindows Callback
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Add-Type', 'EnumWindows', 'GetWindowText', 'IsWindowVisible', and 'user32.dll'. PowerShell ScriptBlock Log Event ID 4104 with the full multi-line Add-Type type definition including all three DllImport declarations and the callback delegate pattern.
Test 4VBScript COM Window Enumeration via Shell.Application
Expected signal: File creation event (Sysmon Event ID 11) for %TEMP%\df00tech_wintenum.vbs. Sysmon Event ID 1: Process Create with Image=cscript.exe, CommandLine containing '//e:vbscript' and the .vbs filename. The VBScript content (Shell.Application COM enumeration) will be visible in script file artifacts but not the cscript command line itself — emphasizing the need for script content logging where available.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1010 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Application Window Discovery

What is T1010 Application Window Discovery?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1010

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Discovery

Popular Detections

What is T1010 Application Window Discovery?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1010

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Discovery

Popular Detections

Get new detections in your inbox