Detect Application Window Discovery in Elastic Security
Adversaries may attempt to get a listing of open application windows. Window listings convey information about how the system is used and help adversaries identify potential data sources and security tooling to evade. Malware families including Attor, njRAT, DarkWatchman, Grandoreiro, InvisiMole, and Lazarus Group tooling use this technique to obtain window titles and correlate them with keylogger output, identify running security products by window name, locate cryptocurrency wallets, and determine sandbox environments. Adversaries typically implement this via native Windows API functions (EnumWindows, GetForegroundWindow, FindWindow, GetWindowText from user32.dll), scripting languages using P/Invoke or COM automation, or automation tools such as AutoHotkey and AutoIt. On Linux and macOS, adversaries may use xdotool, wmctrl, or Quartz/Cocoa APIs to achieve equivalent capability.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1010 Application Window Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1010/
Elastic Detection Query
process where event.type == "start" and (
(
process.name in~ ("powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "python.exe", "python3.exe", "ruby.exe", "perl.exe") and
(
process.command_line like~ "*GetForegroundWindow*" or
process.command_line like~ "*EnumWindows*" or
process.command_line like~ "*FindWindow*" or
process.command_line like~ "*GetWindowText*" or
process.command_line like~ "*GetActiveWindow*" or
process.command_line like~ "*EnumChildWindows*" or
process.command_line like~ "*GetWindowLong*" or
process.command_line like~ "*FindWindowEx*" or
process.command_line like~ "*GetWindowInfo*" or
(
process.command_line like~ "*Add-Type*" and
process.command_line like~ "*DllImport*" and
process.command_line like~ "*user32*" and
(process.command_line like~ "*window*" or process.command_line like~ "*hwnd*")
) or
(
process.command_line like~ "*Shell.Application*" and
process.command_line like~ "*Windows()*"
)
)
) or
(
process.name in~ ("autoit3.exe", "autohotkey.exe", "ahk2exe.exe", "autoit3_x64.exe") and
not process.parent.name in~ ("explorer.exe", "devenv.exe", "code.exe", "notepad++.exe", "sublime_text.exe", "atom.exe", "cursor.exe")
) or
process.name in~ ("winlister.exe", "wintitles.exe", "windowdetective.exe", "spyxx.exe", "spyxx_amd64.exe", "winspector.exe")
)Detects T1010 Application Window Discovery via three vectors: (1) script interpreters (PowerShell, Python, WScript, etc.) invoking Windows window enumeration API names in command-line arguments or using P/Invoke patterns to load user32.dll, (2) automation tools (AutoHotkey, AutoIt) launched from non-IDE and non-desktop parent processes suggesting malware-driven execution, and (3) execution of known third-party window inspection utilities used by adversaries to enumerate running application windows.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate QA automation frameworks using AutoHotkey or AutoIt scripts for UI regression testing where the launching parent process is a CI/CD build agent or test runner not covered by the parent exclusion list (e.g., jenkins.exe, bamboo-agent.exe)
- Windows GUI developers and security researchers using Spy++ (spyxx.exe, spyxx_amd64.exe) included with Visual Studio for window property inspection and message tracing during application debugging sessions
- IT administrators or RMM platform agents running PowerShell scripts that use Add-Type with DllImport to call user32.dll for legitimate window management tasks during unattended software installations or accessibility configuration
Other platforms for T1010
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell P/Invoke Window Enumeration via GetForegroundWindow
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Add-Type', 'DllImport', 'user32.dll', 'GetForegroundWindow', and 'GetWindowText'. PowerShell ScriptBlock Log Event ID 4104 in Microsoft-Windows-PowerShell/Operational will capture the full deobfuscated Add-Type code block including the user32.dll import declarations.
- Test 2PowerShell COM Shell.Application Window Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Shell.Application' and 'Windows()'. PowerShell ScriptBlock Log Event ID 4104 with the full COM enumeration code. No network connection events expected as this is a local enumeration call.
- Test 3PowerShell Full Window Enumeration via EnumWindows Callback
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Add-Type', 'EnumWindows', 'GetWindowText', 'IsWindowVisible', and 'user32.dll'. PowerShell ScriptBlock Log Event ID 4104 with the full multi-line Add-Type type definition including all three DllImport declarations and the callback delegate pattern.
- Test 4VBScript COM Window Enumeration via Shell.Application
Expected signal: File creation event (Sysmon Event ID 11) for %TEMP%\df00tech_wintenum.vbs. Sysmon Event ID 1: Process Create with Image=cscript.exe, CommandLine containing '//e:vbscript' and the .vbs filename. The VBScript content (Shell.Application COM enumeration) will be visible in script file artifacts but not the cscript command line itself — emphasizing the need for script content logging where available.
References (10)
- https://attack.mitre.org/techniques/T1010/
- https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/
- https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/
- https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-a-spy-platform-with-curious-GSM-fingerprinting/
- https://securelist.com/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/35936/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md
- https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enumwindows
- https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getforegroundwindow
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://www.autohotkey.com/docs/v2/lib/WinGetTitle.htm
Unlock Pro Content
Get the full detection package for T1010 including response playbook, investigation guide, and atomic red team tests.