Detect Application Window Discovery in Sumo Logic CSE
Adversaries may attempt to get a listing of open application windows. Window listings convey information about how the system is used and help adversaries identify potential data sources and security tooling to evade. Malware families including Attor, njRAT, DarkWatchman, Grandoreiro, InvisiMole, and Lazarus Group tooling use this technique to obtain window titles and correlate them with keylogger output, identify running security products by window name, locate cryptocurrency wallets, and determine sandbox environments. Adversaries typically implement this via native Windows API functions (EnumWindows, GetForegroundWindow, FindWindow, GetWindowText from user32.dll), scripting languages using P/Invoke or COM automation, or automation tools such as AutoHotkey and AutoIt. On Linux and macOS, adversaries may use xdotool, wmctrl, or Quartz/Cocoa APIs to achieve equivalent capability.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1010 Application Window Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1010/
Sumo Detection Query
(_sourceCategory=*Windows* OR _sourceCategory=*sysmon*) EventID=1
| parse "Image: *\n" as Image nodrop
| parse "CommandLine: *\n" as CommandLine nodrop
| parse "ParentImage: *\n" as ParentImage nodrop
| parse "User: *\n" as User nodrop
| toLowerCase(Image) as image_lower
| toLowerCase(CommandLine) as cmdline_lower
| toLowerCase(ParentImage) as parent_lower
| eval ScriptWindowAPI = if(
(image_lower matches "*powershell.exe*" or image_lower matches "*pwsh.exe*" or
image_lower matches "*wscript.exe*" or image_lower matches "*cscript.exe*" or
image_lower matches "*mshta.exe*" or image_lower matches "*python.exe*" or
image_lower matches "*python3.exe*" or image_lower matches "*ruby.exe*" or
image_lower matches "*perl.exe*") and
(cmdline_lower matches "*getforegroundwindow*" or cmdline_lower matches "*enumwindows*" or
cmdline_lower matches "*findwindow*" or cmdline_lower matches "*getwindowtext*" or
cmdline_lower matches "*getactivewindow*" or cmdline_lower matches "*enumchildwindows*" or
cmdline_lower matches "*getwindowlong*" or cmdline_lower matches "*findwindowex*"),
1, 0)
| eval PInvokePattern = if(
(image_lower matches "*powershell.exe*" or image_lower matches "*pwsh.exe*") and
cmdline_lower matches "*add-type*" and cmdline_lower matches "*dllimport*" and
cmdline_lower matches "*user32*" and
(cmdline_lower matches "*window*" or cmdline_lower matches "*hwnd*"),
1, 0)
| eval COMShellEnum = if(
(image_lower matches "*powershell.exe*" or image_lower matches "*wscript.exe*" or
image_lower matches "*cscript.exe*" or image_lower matches "*mshta.exe*") and
cmdline_lower matches "*shell.application*" and cmdline_lower matches "*windows()*",
1, 0)
| eval AutomationToolEnum = if(
(image_lower matches "*autoit3.exe*" or image_lower matches "*autohotkey.exe*" or
image_lower matches "*ahk2exe.exe*" or image_lower matches "*autoit3_x64.exe*") and
not (parent_lower matches "*explorer.exe*" or parent_lower matches "*devenv.exe*" or
parent_lower matches "*code.exe*" or parent_lower matches "*sublime_text.exe*" or
parent_lower matches "*atom.exe*" or parent_lower matches "*cursor.exe*"),
1, 0)
| eval KnownWinEnumTool = if(
image_lower matches "*winlister.exe*" or image_lower matches "*wintitles.exe*" or
image_lower matches "*windowdetective.exe*" or image_lower matches "*spyxx.exe*" or
image_lower matches "*spyxx_amd64.exe*" or image_lower matches "*winspector.exe*",
1, 0)
| eval TotalScore = ScriptWindowAPI + PInvokePattern + COMShellEnum + AutomationToolEnum + KnownWinEnumTool
| where TotalScore > 0
| eval DetectionVector = if(KnownWinEnumTool=1, "Known Window Enumeration Utility",
if(AutomationToolEnum=1, "Automation Tool Window Enumeration (Unusual Parent)",
if(PInvokePattern=1, "PowerShell P/Invoke Window API",
if(COMShellEnum=1, "COM Shell Window Enumeration",
"Script Window Enumeration API"))))
| table _messageTime, _sourceHost, User, Image, CommandLine, ParentImage, DetectionVector, TotalScore
| sort by _messageTime descDetects T1010 Application Window Discovery in Sumo Logic using Sysmon EventID 1 (Process Creation) records. Parses Sysmon message fields inline and scores each event across five detection vectors: script interpreter window API calls, PowerShell P/Invoke user32.dll import patterns, COM Shell.Application window enumeration, automation tools launched from unusual parent processes, and known third-party window enumeration utilities. Events with a TotalScore greater than zero are surfaced with a categorized DetectionVector label.
Data Sources
Required Tables
False Positives & Tuning
- Desktop automation scripts (AutoHotkey, AutoIt) used by QA engineers or business process automation where the launching parent is a scheduler, RPA platform, or CI agent not in the parent exclusion list
- Windows application developers using Spy++ (spyxx.exe) or Window Detective for GUI debugging and window hierarchy inspection — these are legitimate development tools that will always trigger the known tool vector
- PowerShell IT automation or endpoint management scripts that programmatically load user32.dll via Add-Type for window lifecycle management during mass software deployments or configuration baselines
Other platforms for T1010
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell P/Invoke Window Enumeration via GetForegroundWindow
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Add-Type', 'DllImport', 'user32.dll', 'GetForegroundWindow', and 'GetWindowText'. PowerShell ScriptBlock Log Event ID 4104 in Microsoft-Windows-PowerShell/Operational will capture the full deobfuscated Add-Type code block including the user32.dll import declarations.
- Test 2PowerShell COM Shell.Application Window Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Shell.Application' and 'Windows()'. PowerShell ScriptBlock Log Event ID 4104 with the full COM enumeration code. No network connection events expected as this is a local enumeration call.
- Test 3PowerShell Full Window Enumeration via EnumWindows Callback
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Add-Type', 'EnumWindows', 'GetWindowText', 'IsWindowVisible', and 'user32.dll'. PowerShell ScriptBlock Log Event ID 4104 with the full multi-line Add-Type type definition including all three DllImport declarations and the callback delegate pattern.
- Test 4VBScript COM Window Enumeration via Shell.Application
Expected signal: File creation event (Sysmon Event ID 11) for %TEMP%\df00tech_wintenum.vbs. Sysmon Event ID 1: Process Create with Image=cscript.exe, CommandLine containing '//e:vbscript' and the .vbs filename. The VBScript content (Shell.Application COM enumeration) will be visible in script file artifacts but not the cscript command line itself — emphasizing the need for script content logging where available.
References (10)
- https://attack.mitre.org/techniques/T1010/
- https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/
- https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/
- https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-a-spy-platform-with-curious-GSM-fingerprinting/
- https://securelist.com/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/35936/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md
- https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enumwindows
- https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getforegroundwindow
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://www.autohotkey.com/docs/v2/lib/WinGetTitle.htm
Unlock Pro Content
Get the full detection package for T1010 including response playbook, investigation guide, and atomic red team tests.