T1010 Splunk · SPL

Detect Application Window Discovery in Splunk

Adversaries may attempt to get a listing of open application windows. Window listings convey information about how the system is used and help adversaries identify potential data sources and security tooling to evade. Malware families including Attor, njRAT, DarkWatchman, Grandoreiro, InvisiMole, and Lazarus Group tooling use this technique to obtain window titles and correlate them with keylogger output, identify running security products by window name, locate cryptocurrency wallets, and determine sandbox environments. Adversaries typically implement this via native Windows API functions (EnumWindows, GetForegroundWindow, FindWindow, GetWindowText from user32.dll), scripting languages using P/Invoke or COM automation, or automation tools such as AutoHotkey and AutoIt. On Linux and macOS, adversaries may use xdotool, wmctrl, or Quartz/Cocoa APIs to achieve equivalent capability.

MITRE ATT&CK

Tactic
Discovery
Technique
T1010 Application Window Discovery
Canonical reference
https://attack.mitre.org/techniques/T1010/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval CommandLineLower=lower(CommandLine)
| eval ImageLower=lower(Image)
| eval ParentImageLower=lower(ParentImage)
| eval ScriptWindowAPIEnum=if(
    match(ImageLower, "(powershell|pwsh|wscript|cscript|mshta|python[23]?|ruby|perl)\.exe") AND
    match(CommandLineLower, "(getforegroundwindow|enumwindows|findwindow|getwindowtext|getactivewindow|enumchildwindows|getwindowlong|findwindowex)"),
    1, 0)
| eval PInvokePattern=if(
    match(ImageLower, "(powershell|pwsh)\.exe") AND
    match(CommandLineLower, "(add-type|dllimport)") AND
    match(CommandLineLower, "user32") AND
    match(CommandLineLower, "(window|hwnd)"),
    1, 0)
| eval COMShellEnum=if(
    match(ImageLower, "(powershell|pwsh|wscript|cscript|mshta)\.exe") AND
    match(CommandLineLower, "shell\.application") AND
    match(CommandLineLower, "windows\(\)"),
    1, 0)
| eval AutomationToolEnum=if(
    match(ImageLower, "(autoit3|autohotkey|ahk2exe)(_x64)?\.exe") AND
    NOT match(ParentImageLower, "(explorer|devenv|code|notepad\+\+|sublime_text|atom)\.exe"),
    1, 0)
| eval KnownWinEnumTool=if(
    match(ImageLower, "(winlister|wintitles|windowdetective|spyxx(_amd64)?|winspector)\.exe"),
    1, 0)
| eval TotalScore=ScriptWindowAPIEnum + PInvokePattern + COMShellEnum + AutomationToolEnum + KnownWinEnumTool
| where TotalScore > 0
| eval DetectionVector=case(
    KnownWinEnumTool=1, "Known Window Enumeration Utility",
    AutomationToolEnum=1, "Automation Tool Window Enumeration (Unusual Parent)",
    PInvokePattern=1, "PowerShell P/Invoke Window API",
    COMShellEnum=1, "COM Shell Window Enumeration",
    ScriptWindowAPIEnum=1, "Script Window Enumeration API",
    1=1, "Unknown"
)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionVector, TotalScore
| sort - _time
medium severity medium confidence

Detects application window discovery via Sysmon Event ID 1 (Process Creation). Evaluates command lines from scripting engines and automation tools against known window enumeration patterns including Win32 API function names (EnumWindows, GetForegroundWindow, GetWindowText), PowerShell P/Invoke signatures loading user32.dll for window operations, COM Shell.Application window enumeration, and AutoHotkey/AutoIt spawned from non-development parent processes. A composite score is computed to prioritize alerts with multiple corroborating indicators.

Data Sources

Process: Process CreationCommand: Command ExecutionSysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Legitimate AutoHotkey or AutoIt scripts used by IT support staff for desktop automation and helpdesk tooling
  • Screen recording, remote desktop, and accessibility software (NVDA, JAWS, TeamViewer) that enumerates windows for UI interaction
  • Developer tooling such as UI testing frameworks (WinAppDriver, TestComplete, Ranorex) that programmatically enumerate windows
  • Python RPA automation using pywin32 or pywinauto libraries in approved business automation workflows
  • PowerShell scripts querying Shell.Application window state for IT inventory or configuration management
Download portable Sigma rule (.yml)

Other platforms for T1010

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell P/Invoke Window Enumeration via GetForegroundWindow

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Add-Type', 'DllImport', 'user32.dll', 'GetForegroundWindow', and 'GetWindowText'. PowerShell ScriptBlock Log Event ID 4104 in Microsoft-Windows-PowerShell/Operational will capture the full deobfuscated Add-Type code block including the user32.dll import declarations.

  2. Test 2PowerShell COM Shell.Application Window Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Shell.Application' and 'Windows()'. PowerShell ScriptBlock Log Event ID 4104 with the full COM enumeration code. No network connection events expected as this is a local enumeration call.

  3. Test 3PowerShell Full Window Enumeration via EnumWindows Callback

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Add-Type', 'EnumWindows', 'GetWindowText', 'IsWindowVisible', and 'user32.dll'. PowerShell ScriptBlock Log Event ID 4104 with the full multi-line Add-Type type definition including all three DllImport declarations and the callback delegate pattern.

  4. Test 4VBScript COM Window Enumeration via Shell.Application

    Expected signal: File creation event (Sysmon Event ID 11) for %TEMP%\df00tech_wintenum.vbs. Sysmon Event ID 1: Process Create with Image=cscript.exe, CommandLine containing '//e:vbscript' and the .vbs filename. The VBScript content (Shell.Application COM enumeration) will be visible in script file artifacts but not the cscript command line itself — emphasizing the need for script content logging where available.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1010 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1056.001KeyloggingT1113Screen CaptureT1518.001Security Software DiscoveryT1106Native APIT1059.001PowerShellT1059.005Visual BasicT1059.007JavaScriptT1497.001System ChecksT1057Process DiscoveryT1005Data from Local System

Same Tactic: Discovery

Popular Detections