Detect Application Window Discovery in Microsoft Sentinel
Adversaries may attempt to get a listing of open application windows. Window listings convey information about how the system is used and help adversaries identify potential data sources and security tooling to evade. Malware families including Attor, njRAT, DarkWatchman, Grandoreiro, InvisiMole, and Lazarus Group tooling use this technique to obtain window titles and correlate them with keylogger output, identify running security products by window name, locate cryptocurrency wallets, and determine sandbox environments. Adversaries typically implement this via native Windows API functions (EnumWindows, GetForegroundWindow, FindWindow, GetWindowText from user32.dll), scripting languages using P/Invoke or COM automation, or automation tools such as AutoHotkey and AutoIt. On Linux and macOS, adversaries may use xdotool, wmctrl, or Quartz/Cocoa APIs to achieve equivalent capability.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1010 Application Window Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1010/
KQL Detection Query
let WindowAPIFunctions = dynamic([
"GetForegroundWindow", "EnumWindows", "FindWindow", "GetWindowText",
"GetActiveWindow", "EnumChildWindows", "GetWindowLong", "GetWindowRect",
"FindWindowEx", "GetWindowInfo"
]);
// Vector 1: Script interpreters referencing window enumeration API functions
let ScriptInterpreterEnum = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "python.exe", "python3.exe", "ruby.exe", "perl.exe")
| where ProcessCommandLine has_any (WindowAPIFunctions)
or (ProcessCommandLine has_any ("Add-Type", "DllImport") and ProcessCommandLine has "user32" and ProcessCommandLine has_any ("window", "Window", "hwnd", "hWnd"))
or (ProcessCommandLine has "Shell.Application" and ProcessCommandLine has_any ("Windows()", ".Windows "))
| extend DetectionVector = case(
ProcessCommandLine has_any ("Add-Type", "DllImport") and ProcessCommandLine has "user32", "PowerShell P/Invoke Window API",
ProcessCommandLine has "Shell.Application", "COM Shell Window Enumeration",
"Script Window Enumeration API"
);
// Vector 2: Automation tools spawned from unexpected parents (not UI or development environments)
let AutomationToolEnum = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("autoit3.exe", "autohotkey.exe", "ahk2exe.exe", "autoit3_x64.exe")
| where InitiatingProcessFileName !in~ ("explorer.exe", "devenv.exe", "code.exe", "notepad++.exe", "sublime_text.exe", "atom.exe", "cursor.exe")
| extend DetectionVector = "Automation Tool Window Enumeration (Unusual Parent)";
// Vector 3: Known third-party window enumeration utilities
let KnownToolEnum = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("winlister.exe", "wintitles.exe", "windowdetective.exe", "spyxx.exe", "spyxx_amd64.exe", "winspector.exe")
| extend DetectionVector = "Known Window Enumeration Utility";
union ScriptInterpreterEnum, AutomationToolEnum, KnownToolEnum
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionVector
| sort by Timestamp descDetects application window discovery activity via three vectors: (1) script interpreters (PowerShell, WScript, Python) referencing Windows API functions such as EnumWindows, GetForegroundWindow, GetWindowText, or using PowerShell P/Invoke patterns loading user32.dll window APIs; (2) automation tools (AutoHotkey, AutoIt) spawned from non-development parent processes, which are commonly leveraged by malware families like Grandoreiro for window-based security tool detection; (3) known third-party window enumeration utilities (WinLister, Window Detective, Spy++). Detection confidence is medium — script-based patterns are reliably visible in command-line telemetry, but native compiled malware performing in-process API calls will not be caught without image load or process access telemetry.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate AutoHotkey or AutoIt scripts used by IT support staff for desktop automation and helpdesk tooling
- Screen recording, remote desktop, and accessibility software (e.g., NVDA, JAWS, TeamViewer) that enumerates windows for UI interaction
- Developer tooling such as UI testing frameworks (Selenium WebDriver for Windows, WinAppDriver, TestComplete) that programmatically enumerate windows
- Python automation scripts for legitimate RPA (Robotic Process Automation) deployments using pywin32 or pywinauto
- PowerShell DSC configurations or inventory scripts that query Shell.Application window state
Other platforms for T1010
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell P/Invoke Window Enumeration via GetForegroundWindow
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Add-Type', 'DllImport', 'user32.dll', 'GetForegroundWindow', and 'GetWindowText'. PowerShell ScriptBlock Log Event ID 4104 in Microsoft-Windows-PowerShell/Operational will capture the full deobfuscated Add-Type code block including the user32.dll import declarations.
- Test 2PowerShell COM Shell.Application Window Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Shell.Application' and 'Windows()'. PowerShell ScriptBlock Log Event ID 4104 with the full COM enumeration code. No network connection events expected as this is a local enumeration call.
- Test 3PowerShell Full Window Enumeration via EnumWindows Callback
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Add-Type', 'EnumWindows', 'GetWindowText', 'IsWindowVisible', and 'user32.dll'. PowerShell ScriptBlock Log Event ID 4104 with the full multi-line Add-Type type definition including all three DllImport declarations and the callback delegate pattern.
- Test 4VBScript COM Window Enumeration via Shell.Application
Expected signal: File creation event (Sysmon Event ID 11) for %TEMP%\df00tech_wintenum.vbs. Sysmon Event ID 1: Process Create with Image=cscript.exe, CommandLine containing '//e:vbscript' and the .vbs filename. The VBScript content (Shell.Application COM enumeration) will be visible in script file artifacts but not the cscript command line itself — emphasizing the need for script content logging where available.
References (10)
- https://attack.mitre.org/techniques/T1010/
- https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/
- https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/
- https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-a-spy-platform-with-curious-GSM-fingerprinting/
- https://securelist.com/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/35936/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md
- https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enumwindows
- https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getforegroundwindow
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://www.autohotkey.com/docs/v2/lib/WinGetTitle.htm
Unlock Pro Content
Get the full detection package for T1010 including response playbook, investigation guide, and atomic red team tests.