T1010 IBM QRadar · QRadar

Detect Application Window Discovery in IBM QRadar

Adversaries may attempt to get a listing of open application windows. Window listings convey information about how the system is used and help adversaries identify potential data sources and security tooling to evade. Malware families including Attor, njRAT, DarkWatchman, Grandoreiro, InvisiMole, and Lazarus Group tooling use this technique to obtain window titles and correlate them with keylogger output, identify running security products by window name, locate cryptocurrency wallets, and determine sandbox environments. Adversaries typically implement this via native Windows API functions (EnumWindows, GetForegroundWindow, FindWindow, GetWindowText from user32.dll), scripting languages using P/Invoke or COM automation, or automation tools such as AutoHotkey and AutoIt. On Linux and macOS, adversaries may use xdotool, wmctrl, or Quartz/Cocoa APIs to achieve equivalent capability.

MITRE ATT&CK

Tactic
Discovery
Technique
T1010 Application Window Discovery
Canonical reference
https://attack.mitre.org/techniques/T1010/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  username AS UserName,
  "Image" AS ProcessImage,
  "CommandLine" AS CommandLine,
  "ParentImage" AS ParentImage,
  CASE
    WHEN LOWER("Image") ILIKE '%winlister.exe%'
      OR LOWER("Image") ILIKE '%wintitles.exe%'
      OR LOWER("Image") ILIKE '%windowdetective.exe%'
      OR LOWER("Image") ILIKE '%spyxx%'
      OR LOWER("Image") ILIKE '%winspector.exe%'
      THEN 'Known Window Enumeration Utility'
    WHEN (LOWER("Image") ILIKE '%autoit3.exe%' OR LOWER("Image") ILIKE '%autohotkey.exe%' OR LOWER("Image") ILIKE '%ahk2exe.exe%')
      AND NOT (LOWER("ParentImage") ILIKE '%explorer.exe%' OR LOWER("ParentImage") ILIKE '%devenv.exe%' OR LOWER("ParentImage") ILIKE '%code.exe%')
      THEN 'Automation Tool Window Enumeration (Unusual Parent)'
    WHEN (LOWER("Image") ILIKE '%powershell.exe%' OR LOWER("Image") ILIKE '%pwsh.exe%')
      AND LOWER("CommandLine") ILIKE '%add-type%'
      AND LOWER("CommandLine") ILIKE '%dllimport%'
      AND LOWER("CommandLine") ILIKE '%user32%'
      THEN 'PowerShell P/Invoke Window API'
    WHEN (LOWER("Image") ILIKE '%powershell.exe%' OR LOWER("Image") ILIKE '%wscript.exe%' OR LOWER("Image") ILIKE '%cscript.exe%' OR LOWER("Image") ILIKE '%mshta.exe%')
      AND LOWER("CommandLine") ILIKE '%shell.application%'
      AND LOWER("CommandLine") ILIKE '%windows()%'
      THEN 'COM Shell Window Enumeration'
    ELSE 'Script Window Enumeration API'
  END AS DetectionVector
FROM events
WHERE
  (LOGSOURCETYPENAME(devicetype) ILIKE '%Windows%' OR LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%')
  AND (
    (
      (LOWER("Image") ILIKE '%powershell.exe%' OR LOWER("Image") ILIKE '%pwsh.exe%'
        OR LOWER("Image") ILIKE '%wscript.exe%' OR LOWER("Image") ILIKE '%cscript.exe%'
        OR LOWER("Image") ILIKE '%mshta.exe%' OR LOWER("Image") ILIKE '%python.exe%'
        OR LOWER("Image") ILIKE '%python3.exe%' OR LOWER("Image") ILIKE '%ruby.exe%'
        OR LOWER("Image") ILIKE '%perl.exe%')
      AND (
        LOWER("CommandLine") ILIKE '%getforegroundwindow%' OR
        LOWER("CommandLine") ILIKE '%enumwindows%' OR
        LOWER("CommandLine") ILIKE '%findwindow%' OR
        LOWER("CommandLine") ILIKE '%getwindowtext%' OR
        LOWER("CommandLine") ILIKE '%getactivewindow%' OR
        LOWER("CommandLine") ILIKE '%enumchildwindows%' OR
        LOWER("CommandLine") ILIKE '%getwindowlong%' OR
        LOWER("CommandLine") ILIKE '%findwindowex%' OR
        (
          LOWER("CommandLine") ILIKE '%add-type%' AND
          LOWER("CommandLine") ILIKE '%dllimport%' AND
          LOWER("CommandLine") ILIKE '%user32%' AND
          (LOWER("CommandLine") ILIKE '%window%' OR LOWER("CommandLine") ILIKE '%hwnd%')
        ) OR
        (
          LOWER("CommandLine") ILIKE '%shell.application%' AND
          LOWER("CommandLine") ILIKE '%windows()%'
        )
      )
    ) OR
    (
      (LOWER("Image") ILIKE '%autoit3.exe%' OR LOWER("Image") ILIKE '%autohotkey.exe%'
        OR LOWER("Image") ILIKE '%ahk2exe.exe%' OR LOWER("Image") ILIKE '%autoit3_x64.exe%')
      AND NOT (
        LOWER("ParentImage") ILIKE '%explorer.exe%' OR LOWER("ParentImage") ILIKE '%devenv.exe%'
        OR LOWER("ParentImage") ILIKE '%code.exe%' OR LOWER("ParentImage") ILIKE '%notepad++.exe%'
        OR LOWER("ParentImage") ILIKE '%sublime_text.exe%' OR LOWER("ParentImage") ILIKE '%atom.exe%'
        OR LOWER("ParentImage") ILIKE '%cursor.exe%'
      )
    ) OR
    (
      LOWER("Image") ILIKE '%winlister.exe%' OR LOWER("Image") ILIKE '%wintitles.exe%'
      OR LOWER("Image") ILIKE '%windowdetective.exe%' OR LOWER("Image") ILIKE '%spyxx.exe%'
      OR LOWER("Image") ILIKE '%spyxx_amd64.exe%' OR LOWER("Image") ILIKE '%winspector.exe%'
    )
  )
LAST 24 HOURS
ORDER BY starttime DESC
medium severity medium confidence

Detects T1010 Application Window Discovery in IBM QRadar using Windows Sysmon or Security event data. Queries process creation events for script interpreters referencing window enumeration API names, P/Invoke user32.dll import patterns, COM Shell.Application window enumeration, automation tools with unexpected parent processes, and known window listing utilities. Requires Custom Event Properties (CEPs) for Image, CommandLine, and ParentImage to be configured for the Sysmon log source type in QRadar.

Data Sources

IBM QRadar SIEMMicrosoft Sysmon via Windows Event Log log sourceWindows Security Event Log (EventID 4688 with process tracking)

Required Tables

events

False Positives & Tuning

  • UI automation scripts using AutoHotkey or AutoIt deployed by QA teams or software test pipelines where the parent process is a build agent, task scheduler, or test runner not present in the parent image exclusion conditions
  • Security engineers and Windows developers using Spy++ (spyxx.exe or spyxx_amd64.exe) from the Visual Studio toolset for window message tracing and hierarchy inspection during routine GUI development
  • PowerShell-based deployment automation or endpoint management tools (e.g., custom SCCM scripts, PDQ Deploy actions) that dynamically import user32.dll via Add-Type for window manipulation during silent software installation
Download portable Sigma rule (.yml)

Other platforms for T1010

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell P/Invoke Window Enumeration via GetForegroundWindow

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Add-Type', 'DllImport', 'user32.dll', 'GetForegroundWindow', and 'GetWindowText'. PowerShell ScriptBlock Log Event ID 4104 in Microsoft-Windows-PowerShell/Operational will capture the full deobfuscated Add-Type code block including the user32.dll import declarations.

  2. Test 2PowerShell COM Shell.Application Window Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Shell.Application' and 'Windows()'. PowerShell ScriptBlock Log Event ID 4104 with the full COM enumeration code. No network connection events expected as this is a local enumeration call.

  3. Test 3PowerShell Full Window Enumeration via EnumWindows Callback

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Add-Type', 'EnumWindows', 'GetWindowText', 'IsWindowVisible', and 'user32.dll'. PowerShell ScriptBlock Log Event ID 4104 with the full multi-line Add-Type type definition including all three DllImport declarations and the callback delegate pattern.

  4. Test 4VBScript COM Window Enumeration via Shell.Application

    Expected signal: File creation event (Sysmon Event ID 11) for %TEMP%\df00tech_wintenum.vbs. Sysmon Event ID 1: Process Create with Image=cscript.exe, CommandLine containing '//e:vbscript' and the .vbs filename. The VBScript content (Shell.Application COM enumeration) will be visible in script file artifacts but not the cscript command line itself — emphasizing the need for script content logging where available.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1010 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1056.001KeyloggingT1113Screen CaptureT1518.001Security Software DiscoveryT1106Native APIT1059.001PowerShellT1059.005Visual BasicT1059.007JavaScriptT1497.001System ChecksT1057Process DiscoveryT1005Data from Local System

Same Tactic: Discovery

Popular Detections