Detect Application Window Discovery in CrowdStrike LogScale
Adversaries may attempt to get a listing of open application windows. Window listings convey information about how the system is used and help adversaries identify potential data sources and security tooling to evade. Malware families including Attor, njRAT, DarkWatchman, Grandoreiro, InvisiMole, and Lazarus Group tooling use this technique to obtain window titles and correlate them with keylogger output, identify running security products by window name, locate cryptocurrency wallets, and determine sandbox environments. Adversaries typically implement this via native Windows API functions (EnumWindows, GetForegroundWindow, FindWindow, GetWindowText from user32.dll), scripting languages using P/Invoke or COM automation, or automation tools such as AutoHotkey and AutoIt. On Linux and macOS, adversaries may use xdotool, wmctrl, or Quartz/Cocoa APIs to achieve equivalent capability.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1010 Application Window Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1010/
LogScale Detection Query
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(powershell|pwsh|wscript|cscript|mshta|python[23]?|ruby|perl|autoit3|autohotkey|ahk2exe|autoit3_x64|winlister|wintitles|windowdetective|spyxx|spyxx_amd64|winspector)\.exe/
| ScriptWindowAPI := if(
ImageFileName = /(?i)(powershell|pwsh|wscript|cscript|mshta|python[23]?|ruby|perl)\.exe/ and
CommandLine = /(?i)(getforegroundwindow|enumwindows|findwindow|getwindowtext|getactivewindow|enumchildwindows|getwindowlong|findwindowex|getwindowinfo)/,
then=1, else=0)
| PInvokePattern := if(
ImageFileName = /(?i)(powershell|pwsh)\.exe/ and
CommandLine = /(?i)(add-type|dllimport)/ and
CommandLine = /(?i)user32/ and
CommandLine = /(?i)(window|hwnd)/,
then=1, else=0)
| COMShellEnum := if(
ImageFileName = /(?i)(powershell|pwsh|wscript|cscript|mshta)\.exe/ and
CommandLine = /(?i)shell\.application/ and
CommandLine = /(?i)windows\(\)/,
then=1, else=0)
| AutomationToolEnum := if(
ImageFileName = /(?i)(autoit3|autohotkey|ahk2exe)(_x64)?\.exe/ and
not ParentBaseFileName = /(?i)(explorer|devenv|code|notepad\+\+|sublime_text|atom|cursor)\.exe/,
then=1, else=0)
| KnownWinEnumTool := if(
ImageFileName = /(?i)(winlister|wintitles|windowdetective|spyxx(_amd64)?|winspector)\.exe/,
then=1, else=0)
| TotalScore := ScriptWindowAPI + PInvokePattern + COMShellEnum + AutomationToolEnum + KnownWinEnumTool
| TotalScore > 0
| DetectionVector := case {
KnownWinEnumTool = 1 => "Known Window Enumeration Utility" ;
AutomationToolEnum = 1 => "Automation Tool Window Enumeration (Unusual Parent)" ;
PInvokePattern = 1 => "PowerShell P/Invoke Window API" ;
COMShellEnum = 1 => "COM Shell Window Enumeration" ;
ScriptWindowAPI = 1 => "Script Window Enumeration API" ;
* => "Unknown"
}
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionVector, TotalScore])
| sort(field=timestamp, order=desc)CrowdStrike Falcon LogScale detection for T1010 Application Window Discovery using ProcessRollup2 telemetry. Pre-filters to relevant process image names then scores each event across five detection vectors: script interpreter window API name references in command lines, PowerShell P/Invoke user32.dll import patterns, COM Shell.Application window enumeration, automation tool execution from non-standard parent processes, and known window enumeration utilities. Leverages Falcon's comprehensive process lineage and full command-line capture for high-fidelity detection.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate desktop automation scripts (AutoHotkey, AutoIt) used for UI test automation or business process automation where the parent process is a non-standard launcher such as a task scheduler wrapper, RPA agent, or custom script runner not in the ParentBaseFileName exclusion pattern
- Windows GUI application developers and reverse engineers running Spy++ or Window Detective for window inspection and message tracing — particularly common on developer workstations where these tools are installed as part of Visual Studio
- PowerShell scripts from IT management platforms or deployment tools that programmatically import user32.dll using Add-Type and DllImport for window management operations during automated provisioning, software updates, or accessibility configuration tasks
Other platforms for T1010
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell P/Invoke Window Enumeration via GetForegroundWindow
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Add-Type', 'DllImport', 'user32.dll', 'GetForegroundWindow', and 'GetWindowText'. PowerShell ScriptBlock Log Event ID 4104 in Microsoft-Windows-PowerShell/Operational will capture the full deobfuscated Add-Type code block including the user32.dll import declarations.
- Test 2PowerShell COM Shell.Application Window Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Shell.Application' and 'Windows()'. PowerShell ScriptBlock Log Event ID 4104 with the full COM enumeration code. No network connection events expected as this is a local enumeration call.
- Test 3PowerShell Full Window Enumeration via EnumWindows Callback
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Add-Type', 'EnumWindows', 'GetWindowText', 'IsWindowVisible', and 'user32.dll'. PowerShell ScriptBlock Log Event ID 4104 with the full multi-line Add-Type type definition including all three DllImport declarations and the callback delegate pattern.
- Test 4VBScript COM Window Enumeration via Shell.Application
Expected signal: File creation event (Sysmon Event ID 11) for %TEMP%\df00tech_wintenum.vbs. Sysmon Event ID 1: Process Create with Image=cscript.exe, CommandLine containing '//e:vbscript' and the .vbs filename. The VBScript content (Shell.Application COM enumeration) will be visible in script file artifacts but not the cscript command line itself — emphasizing the need for script content logging where available.
References (10)
- https://attack.mitre.org/techniques/T1010/
- https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/
- https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/
- https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-a-spy-platform-with-curious-GSM-fingerprinting/
- https://securelist.com/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/35936/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md
- https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enumwindows
- https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getforegroundwindow
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://www.autohotkey.com/docs/v2/lib/WinGetTitle.htm
Unlock Pro Content
Get the full detection package for T1010 including response playbook, investigation guide, and atomic red team tests.