Detect Application Window Discovery in Google Chronicle
Adversaries may attempt to get a listing of open application windows. Window listings convey information about how the system is used and help adversaries identify potential data sources and security tooling to evade. Malware families including Attor, njRAT, DarkWatchman, Grandoreiro, InvisiMole, and Lazarus Group tooling use this technique to obtain window titles and correlate them with keylogger output, identify running security products by window name, locate cryptocurrency wallets, and determine sandbox environments. Adversaries typically implement this via native Windows API functions (EnumWindows, GetForegroundWindow, FindWindow, GetWindowText from user32.dll), scripting languages using P/Invoke or COM automation, or automation tools such as AutoHotkey and AutoIt. On Linux and macOS, adversaries may use xdotool, wmctrl, or Quartz/Cocoa APIs to achieve equivalent capability.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1010 Application Window Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1010/
YARA-L Detection Query
rule t1010_application_window_discovery {
meta:
author = "Detection Engineering"
description = "Detects T1010 Application Window Discovery via script interpreter window API calls, automation tools with unusual parents, or known window enumeration utilities"
severity = "MEDIUM"
priority = "MEDIUM"
mitre_attack_tactic = "Discovery"
mitre_attack_technique = "T1010"
platform = "Windows"
reference = "https://attack.mitre.org/techniques/T1010/"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
(
(
re.regex($e.target.process.file.full_path,
`(?i)(powershell|pwsh|wscript|cscript|mshta|python[23]?|ruby|perl)\.exe$`) and
(
re.regex($e.target.process.command_line,
`(?i)(getforegroundwindow|enumwindows|findwindow|getwindowtext|getactivewindow|enumchildwindows|getwindowlong|getwindowrect|findwindowex|getwindowinfo)`) or
(
re.regex($e.target.process.command_line, `(?i)(add-type|dllimport)`) and
re.regex($e.target.process.command_line, `(?i)user32`) and
re.regex($e.target.process.command_line, `(?i)(window|hwnd)`)
) or
(
re.regex($e.target.process.command_line, `(?i)shell\.application`) and
re.regex($e.target.process.command_line, `(?i)\.windows\(\)`)
)
)
) or
(
re.regex($e.target.process.file.full_path,
`(?i)(autoit3|autohotkey|ahk2exe)(_x64)?\.exe$`) and
not re.regex($e.principal.process.file.full_path,
`(?i)(explorer|devenv|code|notepad\+\+|sublime_text|atom|cursor)\.exe$`)
) or
re.regex($e.target.process.file.full_path,
`(?i)(winlister|wintitles|windowdetective|spyxx(_amd64)?|winspector)\.exe$`)
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting T1010 Application Window Discovery using UDM PROCESS_LAUNCH events. Evaluates three detection vectors using UDM principal/target process model: (1) script interpreters (PowerShell, Python, WScript, etc.) with command lines referencing window enumeration API names or containing P/Invoke user32.dll loading patterns, (2) automation tools (AutoHotkey, AutoIt) where the initiating principal process is not a recognized development or desktop environment, and (3) known third-party window listing utilities historically abused by malware families including njRAT and DarkWatchman.
Data Sources
Required Tables
False Positives & Tuning
- Desktop automation workflows using AutoHotkey or AutoIt for legitimate UI scripting where the parent process is a scheduled task host, RPA engine, or custom launcher not matched by the principal process exclusion regex
- Security engineers and Windows GUI developers executing Spy++ (spyxx.exe, spyxx_amd64.exe) for window message spy and control hierarchy inspection during normal Visual Studio debugging workflows
- PowerShell-based configuration management or deployment scripts using Add-Type with DllImport targeting user32.dll for programmatic window handling during unattended application setup or accessibility provisioning
Other platforms for T1010
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell P/Invoke Window Enumeration via GetForegroundWindow
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Add-Type', 'DllImport', 'user32.dll', 'GetForegroundWindow', and 'GetWindowText'. PowerShell ScriptBlock Log Event ID 4104 in Microsoft-Windows-PowerShell/Operational will capture the full deobfuscated Add-Type code block including the user32.dll import declarations.
- Test 2PowerShell COM Shell.Application Window Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Shell.Application' and 'Windows()'. PowerShell ScriptBlock Log Event ID 4104 with the full COM enumeration code. No network connection events expected as this is a local enumeration call.
- Test 3PowerShell Full Window Enumeration via EnumWindows Callback
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Add-Type', 'EnumWindows', 'GetWindowText', 'IsWindowVisible', and 'user32.dll'. PowerShell ScriptBlock Log Event ID 4104 with the full multi-line Add-Type type definition including all three DllImport declarations and the callback delegate pattern.
- Test 4VBScript COM Window Enumeration via Shell.Application
Expected signal: File creation event (Sysmon Event ID 11) for %TEMP%\df00tech_wintenum.vbs. Sysmon Event ID 1: Process Create with Image=cscript.exe, CommandLine containing '//e:vbscript' and the .vbs filename. The VBScript content (Shell.Application COM enumeration) will be visible in script file artifacts but not the cscript command line itself — emphasizing the need for script content logging where available.
References (10)
- https://attack.mitre.org/techniques/T1010/
- https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/
- https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/
- https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-a-spy-platform-with-curious-GSM-fingerprinting/
- https://securelist.com/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/35936/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md
- https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enumwindows
- https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getforegroundwindow
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://www.autohotkey.com/docs/v2/lib/WinGetTitle.htm
Unlock Pro Content
Get the full detection package for T1010 including response playbook, investigation guide, and atomic red team tests.