Which SIEM platforms have a T1061 detection rule?

df00tech provides T1061 (Graphical User Interface) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1061 detection?

The T1061 detection is rated medium severity with medium confidence.

What are common false positives for T1061?

Common false positives for T1061 include: Legitimate remote administration by IT staff connecting via RDP to manage servers and workstations; Help desk personnel using remote desktop to assist end users, spawning diagnostic tools like cmd.exe or PowerShell; Developers using interactive RDP sessions on build servers and launching development tools via GUI.

T1061

Graphical User Interface

Q: What data sources are required to detect Graphical User Interface (T1061)?

Detecting Graphical User Interface requires the following data sources: Logon Session: Logon Session Creation, Process: Process Creation, Network Traffic: Network Connection Creation, Windows Security Event Log.

Execution Last updated: April 16, 2026

Adversaries may use a system's graphical user interface (GUI) during an operation, commonly through a remote interactive session such as Remote Desktop Protocol (RDP), instead of a command-line interpreter. GUI-based interaction allows adversaries to search for information, execute files via mouse double-click, use the Windows Run command, or perform other actions that may be more difficult to monitor than command-line activity. This technique has been deprecated in favor of Remote Services (T1021), but detection of suspicious interactive GUI sessions remains operationally relevant. Key indicators include remote interactive logon events (Logon Type 10), unexpected explorer.exe child processes, Run dialog command usage, and interactive sessions established outside of normal business hours or from unusual source IP addresses.

What is T1061 Graphical User Interface?

Graphical User Interface (T1061) maps to the Execution tactic — the adversary is trying to run malicious code in MITRE ATT&CK.

This page provides production-ready detection logic for Graphical User Interface, covering the data sources and telemetry it touches: Logon Session: Logon Session Creation, Process: Process Creation, Network Traffic: Network Connection Creation, Windows Security Event Log. The queries below are rated medium severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Execution
Canonical reference: https://attack.mitre.org/techniques/T1061/

Microsoft Sentinel / Defender

kusto

// T1061 - Graphical User Interface: Detect suspicious remote interactive (RDP) sessions and GUI-based execution patterns
let SuspiciousGUIProcesses = dynamic([
  "cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe", "wscript.exe", "cscript.exe",
  "regsvr32.exe", "rundll32.exe", "msbuild.exe", "certutil.exe", "bitsadmin.exe",
  "net.exe", "net1.exe", "whoami.exe", "ipconfig.exe", "nltest.exe",
  "mimikatz.exe", "procdump.exe", "psexec.exe", "wmic.exe"
]);
let RunDialogIndicators = dynamic([
  "shell:startup", "shell:common startup", "%temp%", "%appdata%",
  "cmd /c", "powershell", "wscript", "cscript", "mshta"
]);
// Branch 1: Remote interactive logon events (Logon Type 10 = RemoteInteractive)
let RemoteInteractiveLogons = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4624
| where LogonType == 10
| where AccountName !endswith "$"
| where IpAddress != "-" and IpAddress != "127.0.0.1" and IpAddress != "::1"
| extend SessionType = "RemoteInteractive_RDP"
| project TimeGenerated, Computer, AccountName, AccountDomain, LogonType,
          IpAddress, IpPort, LogonProcessName, AuthenticationPackageName, SessionType;
// Branch 2: Suspicious processes spawned by explorer.exe (GUI double-click or Run dialog)
let ExplorerSpawnedSuspicious = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "explorer.exe"
| where FileName in~ (SuspiciousGUIProcesses)
| extend SessionType = "GUI_ExplorerChild"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, SessionType;
// Branch 3: Run dialog (RunDlg32) invocations with suspicious content
let RunDialogExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "explorer.exe"
| where FileName in~ ("rundll32.exe")
| where ProcessCommandLine has_all ("shell32.dll", "RunDlg32")
| extend SessionType = "RunDialog_Launch"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, SessionType;
// Combine results
RemoteInteractiveLogons
| join kind=inner (
    ExplorerSpawnedSuspicious
    | extend TimeGenerated = Timestamp
    | union (RunDialogExecution | extend TimeGenerated = Timestamp)
) on $left.Computer == $right.DeviceName
| where datetime_diff('minute', TimeGenerated1, TimeGenerated) between (0 .. 60)
| project TimeGenerated, Computer, AccountName, IpAddress,
          SpawnedProcess = FileName, CommandLine = ProcessCommandLine,
          ParentProcess = InitiatingProcessFileName, SessionType, SessionType1
| sort by TimeGenerated desc

Detects suspicious GUI-based adversary activity by correlating remote interactive logon events (Logon Type 10, RDP) with subsequent suspicious process execution via explorer.exe child processes or Windows Run dialog. Uses SecurityEvent for logon tracking and DeviceProcessEvents for process genealogy. Flags interactive sessions from external IPs followed by execution of reconnaissance, credential dumping, or lateral movement tools launched through the GUI rather than a command shell.

medium severity medium confidence

Data Sources

Logon Session: Logon Session Creation Process: Process Creation Network Traffic: Network Connection Creation Windows Security Event Log

Required Tables

SecurityEvent DeviceProcessEvents

False Positives

Legitimate remote administration by IT staff connecting via RDP to manage servers and workstations
Help desk personnel using remote desktop to assist end users, spawning diagnostic tools like cmd.exe or PowerShell
Developers using interactive RDP sessions on build servers and launching development tools via GUI
Jump box or bastion host users who routinely access systems interactively and run standard administrative commands

Splunk

spl

| union
[
  search index=wineventlog sourcetype="WinEventLog:Security" EventCode=4624 Logon_Type=10
  | eval event_type="remote_interactive_logon"
  | eval src_ip=Source_Network_Address
  | where src_ip != "-" AND src_ip != "127.0.0.1" AND src_ip != "::1"
  | where NOT match(Account_Name, "\$$")
  | eval logon_time=_time
  | table _time, host, Account_Name, Account_Domain, Logon_Type, src_ip, src_port, event_type, logon_time
],
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (ParentImage="*\\explorer.exe")
    (Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\mshta.exe"
     OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\regsvr32.exe"
     OR Image="*\\rundll32.exe" OR Image="*\\certutil.exe" OR Image="*\\net.exe"
     OR Image="*\\whoami.exe" OR Image="*\\nltest.exe" OR Image="*\\wmic.exe"
     OR Image="*\\mimikatz.exe" OR Image="*\\procdump.exe" OR Image="*\\psexec.exe")
  | eval event_type="gui_spawned_suspicious_process"
  | eval process_time=_time
  | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, event_type, process_time
]
| eval normed_host=lower(host)
| stats
    values(src_ip) as src_ips,
    values(Account_Name) as logon_accounts,
    values(Image) as spawned_processes,
    values(CommandLine) as command_lines,
    values(event_type) as event_types,
    min(logon_time) as first_logon,
    min(process_time) as first_process,
    count by normed_host
| eval time_delta_minutes=round((first_process - first_logon) / 60, 1)
| where time_delta_minutes >= 0 AND time_delta_minutes <= 60
| where mvcount(event_types) > 1
| table normed_host, src_ips, logon_accounts, spawned_processes, command_lines,
         first_logon, first_process, time_delta_minutes, count
| sort - count

Detects suspicious GUI-based execution by correlating Windows Security Event ID 4624 (Logon Type 10 remote interactive) with Sysmon Event ID 1 process creation events where explorer.exe spawns suspicious tools. Joins on hostname and correlates events within a 60-minute window, requiring both a remote interactive logon and subsequent suspicious process execution to reduce false positives. The time_delta_minutes field helps analysts understand how quickly post-logon activity occurred.

medium severity medium confidence

Data Sources

Logon Session: Logon Session Creation Process: Process Creation Windows Security Event Log Sysmon Event ID 1 Sysmon Event ID 4624

Required Sourcetypes

WinEventLog:Security XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate IT administrators using RDP to remote into systems and then launching administrative tools via GUI shortcuts or Start menu
Automated RDP-based provisioning or configuration management solutions that launch tools interactively
Help desk staff performing interactive troubleshooting via remote desktop sessions and running diagnostic utilities
Software testers running GUI-based test automation that connects via RDP and executes command-line tooling

Elastic Security (EQL)

eql

sequence by host.name with maxspan=60m
  [authentication where
   event.code == "4624" and
   winlog.event_data.LogonType == "10" and
   source.ip != null and
   source.ip != "127.0.0.1" and
   source.ip != "::1" and
   not user.name like~ "*$"]
  [process where
   event.type == "start" and
   process.parent.name like~ "explorer.exe" and
   process.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe",
                     "wscript.exe", "cscript.exe", "regsvr32.exe", "rundll32.exe",
                     "msbuild.exe", "certutil.exe", "bitsadmin.exe", "net.exe",
                     "net1.exe", "whoami.exe", "ipconfig.exe", "nltest.exe",
                     "mimikatz.exe", "procdump.exe", "psexec.exe", "wmic.exe")]

EQL sequence detection that correlates a Windows remote interactive logon (Event ID 4624, LogonType 10) from a non-localhost source IP with a subsequent suspicious process spawned by explorer.exe on the same host within 60 minutes. Covers adversaries who establish RDP sessions and use the GUI to launch attack tooling via double-click, Run dialog, or desktop shortcuts. Requires Winlogbeat or Elastic Agent with the Windows integration deployed, collecting both Security and Sysmon operational logs.

high severity high confidence

Data Sources

Windows Security Event Logs via Winlogbeat or Elastic Agent Windows Sysmon via Winlogbeat or Elastic Agent Elastic Endpoint Security (logs-endpoint.events.*)

Required Tables

logs-endpoint.events.process-* logs-system.security-* winlogbeat-*

False Positives

IT administrators who regularly RDP into servers and launch PowerShell or cmd.exe from the desktop or Start menu for legitimate maintenance tasks during business hours
Help desk staff connecting via remote interactive sessions to user workstations and opening diagnostic tools (ipconfig, nltest) through the Windows GUI to troubleshoot connectivity issues
Software deployment or configuration management agents (SCCM, Ansible, SaltStack) that establish remote interactive sessions and trigger installer processes as explorer.exe children during scheduled maintenance windows

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  devicehostname AS hostname,
  username,
  sourceip,
  QIDNAME(qid) AS event_name,
  "EventID" AS event_id,
  "LogonType" AS logon_type,
  "ParentProcessName" AS parent_process,
  "ProcessName" AS spawned_process,
  "CommandLine" AS command_line
FROM events
WHERE LOGSOURCETYPEID IN (12, 13, 184)
  AND (
    (
      "EventID" = '4624'
      AND "LogonType" = '10'
      AND sourceip NOT IN ('127.0.0.1', '::1', '-', '')
      AND username NOT LIKE '%$'
    )
    OR
    (
      "EventID" = '1'
      AND "ParentProcessName" ILIKE '%\\explorer.exe'
      AND (
        "ProcessName" ILIKE '%\\cmd.exe'
        OR "ProcessName" ILIKE '%\\powershell.exe'
        OR "ProcessName" ILIKE '%\\pwsh.exe'
        OR "ProcessName" ILIKE '%\\mshta.exe'
        OR "ProcessName" ILIKE '%\\wscript.exe'
        OR "ProcessName" ILIKE '%\\cscript.exe'
        OR "ProcessName" ILIKE '%\\regsvr32.exe'
        OR "ProcessName" ILIKE '%\\rundll32.exe'
        OR "ProcessName" ILIKE '%\\msbuild.exe'
        OR "ProcessName" ILIKE '%\\certutil.exe'
        OR "ProcessName" ILIKE '%\\bitsadmin.exe'
        OR "ProcessName" ILIKE '%\\net.exe'
        OR "ProcessName" ILIKE '%\\net1.exe'
        OR "ProcessName" ILIKE '%\\whoami.exe'
        OR "ProcessName" ILIKE '%\\nltest.exe'
        OR "ProcessName" ILIKE '%\\wmic.exe'
        OR "ProcessName" ILIKE '%\\mimikatz.exe'
        OR "ProcessName" ILIKE '%\\procdump.exe'
        OR "ProcessName" ILIKE '%\\psexec.exe'
      )
    )
  )
ORDER BY event_time DESC
LAST 24 HOURS

QRadar AQL query targeting Windows Security (LOGSOURCETYPEID 12), Windows System (13), and Sysmon (184) log sources to surface remote interactive logon events (EventID 4624, LogonType 10) from non-local IPs alongside suspicious processes spawned by explorer.exe (Sysmon EventID 1). Custom properties EventID, LogonType, ParentProcessName, ProcessName, and CommandLine must be defined in QRadar's DSM Editor or via the Universal DSM. Cross-event temporal correlation (same hostname within 60 minutes) should be implemented as a QRadar Building Block pair with a correlated Offense rule referencing both event categories.

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Event Logs via WinCollect agent or syslog forwarding Microsoft Sysmon via WinCollect agent (LOGSOURCETYPEID 184)

Required Tables

events

False Positives

Administrators using RDP to access workstations or servers and launching administrative tools such as PowerShell or cmd.exe from the Windows Start menu or taskbar during normal working hours
Automated patch management or IT ops tooling (SCCM, PDQ Deploy) that connects interactively via RDP and executes scripts using explorer.exe child processes during maintenance windows
User support sessions where technicians remote in via RDP and open diagnostic utilities (ipconfig, nltest) to troubleshoot network connectivity or domain authentication issues

Sumo Logic CSE

sql

(_sourceCategory=*windows*security* OR _sourceCategory=*sysmon* OR _sourceCategory=*wineventlog*)
| where (EventCode = "4624" AND LogonType = "10"
         AND !(Account_Name matches "*$")
         AND Source_Network_Address != "127.0.0.1"
         AND Source_Network_Address != "::1"
         AND Source_Network_Address != "-")
   OR (EventCode = "1"
       AND ParentImage matches "*\\explorer.exe"
       AND (Image matches "*\\cmd.exe"
            OR Image matches "*\\powershell.exe"
            OR Image matches "*\\pwsh.exe"
            OR Image matches "*\\mshta.exe"
            OR Image matches "*\\wscript.exe"
            OR Image matches "*\\cscript.exe"
            OR Image matches "*\\regsvr32.exe"
            OR Image matches "*\\rundll32.exe"
            OR Image matches "*\\msbuild.exe"
            OR Image matches "*\\certutil.exe"
            OR Image matches "*\\bitsadmin.exe"
            OR Image matches "*\\net.exe"
            OR Image matches "*\\net1.exe"
            OR Image matches "*\\whoami.exe"
            OR Image matches "*\\nltest.exe"
            OR Image matches "*\\wmic.exe"
            OR Image matches "*\\mimikatz.exe"
            OR Image matches "*\\procdump.exe"
            OR Image matches "*\\psexec.exe"))
| eval event_type = if(EventCode = "4624", "rdp_logon", "gui_process_spawn")
| eval normalized_host = toLowerCase(Computer)
| timeslice 1h
| stats
    countif(event_type = "rdp_logon") as rdp_logon_count,
    countif(event_type = "gui_process_spawn") as process_spawn_count,
    values(Source_Network_Address) as src_ips,
    values(Account_Name) as logon_accounts,
    values(Image) as spawned_processes,
    values(CommandLine) as command_lines
    by normalized_host, _timeslice
| where rdp_logon_count > 0 AND process_spawn_count > 0
| sort by _timeslice desc

Sumo Logic query combining Windows Security and Sysmon event sources to detect remote interactive RDP logon (EventID 4624, LogonType 10) co-occurring with explorer.exe spawning a suspicious child process (Sysmon EventID 1) within the same 1-hour timeslice per host. The timeslice-based stats aggregation only surfaces hosts where both signal types appear in the same window, substantially reducing noise. Adjust the _sourceCategory values to match your collector configuration. For tighter correlation, reduce timeslice to 15m or 30m in lower-noise environments.

high severity high confidence

Data Sources

Sumo Logic Installed Collector on Windows endpoints Windows Security Event Logs (WinEventLog:Security) Sysmon operational logs (XmlWinEventLog:Microsoft-Windows-Sysmon/Operational)

Required Tables

Windows Security log source categories Sysmon log source categories

False Positives

IT admins connecting via RDP and opening PowerShell or cmd.exe from the Start menu or desktop for system administration tasks within the same hour timeslice
VDI or Remote Desktop Services (RDS) environments where all user sessions are inherently remote interactive and users regularly launch tools from explorer.exe throughout the workday
Automated deployment pipelines that establish remote interactive sessions and invoke build or configuration scripts as explorer.exe children during scheduled maintenance windows

Google Chronicle / SecOps

yaral

rule t1061_rdp_gui_suspicious_process_spawn {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects remote interactive RDP logon followed by a suspicious process spawned from explorer.exe within 60 minutes on the same host — T1061 Graphical User Interface"
    mitre_attack_technique = "T1061"
    mitre_attack_tactic = "Execution"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"

  events:
    $logon.metadata.event_type = "USER_LOGIN"
    $logon.extensions.auth.mechanism = "INTERACTIVE"
    $logon.network.direction = "INBOUND"
    NOT net.ip_in_range_cidr($logon.principal.ip, "127.0.0.0/8")
    NOT net.ip_in_range_cidr($logon.principal.ip, "::1/128")
    NOT re.regex($logon.target.user.userid, `\$$`)

    $proc.metadata.event_type = "PROCESS_LAUNCH"
    re.regex($proc.principal.process.file.full_path, `(?i)explorer\.exe$`)
    (
      re.regex($proc.target.process.file.full_path, `(?i)cmd\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)powershell\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)pwsh\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)mshta\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)wscript\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)cscript\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)regsvr32\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)rundll32\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)msbuild\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)certutil\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)bitsadmin\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)\bnet\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)net1\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)whoami\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)nltest\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)wmic\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)mimikatz\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)procdump\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)psexec\.exe$`)
    )

    $logon.target.hostname = $proc.principal.hostname
    $logon.metadata.event_timestamp.seconds <= $proc.metadata.event_timestamp.seconds
    ($proc.metadata.event_timestamp.seconds - $logon.metadata.event_timestamp.seconds) <= 3600

  condition:
    $logon and $proc
}

Google Chronicle YARA-L 2.0 rule correlating USER_LOGIN events (remote interactive INBOUND INTERACTIVE mechanism — RDP) with PROCESS_LAUNCH events where the parent is explorer.exe and the child is a high-risk executable within 60 minutes (3600 seconds) on the same hostname. Uses UDM field model with net.ip_in_range_cidr for loopback exclusion and re.regex for case-insensitive process name matching. Requires Windows Security and Sysmon telemetry ingested into Chronicle via the Chronicle Forwarder or BindPlane agent with Windows normalization enabled.

high severity high confidence

Data Sources

Google Chronicle SIEM Windows Security Events via Chronicle Forwarder or BindPlane Sysmon events via Chronicle Forwarder or BindPlane with Windows parser

Required Tables

UDM events: USER_LOGIN UDM events: PROCESS_LAUNCH

False Positives

IT administrators performing legitimate remote administration via RDP who launch shells or management consoles from the Windows desktop during scheduled maintenance windows
VDI or Citrix environments where all user sessions are remote interactive by design and users routinely double-click desktop applications that spawn cmd.exe or PowerShell as part of normal workflows
Monitoring or endpoint management agents running within a user session context that execute diagnostic tools appearing as explorer.exe children in the process tree

CrowdStrike LogScale (CQL)

cql

#event_simpleName in ["UserLogon", "ProcessRollup2"]
| case {
    #event_simpleName = "UserLogon"
      | LogonType = 10
      | RemoteAddressIP4 != "127.0.0.1"
      | RemoteAddressIP4 != "::1"
      | NOT UserName = /.*\$$/
      | signal := "rdp_interactive_logon"
      | *;

    #event_simpleName = "ProcessRollup2"
      | ParentBaseFileName =~ "explorer.exe"
      | FileName in ["cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe",
                     "wscript.exe", "cscript.exe", "regsvr32.exe", "rundll32.exe",
                     "msbuild.exe", "certutil.exe", "bitsadmin.exe", "net.exe",
                     "net1.exe", "whoami.exe", "ipconfig.exe", "nltest.exe",
                     "wmic.exe", "mimikatz.exe", "procdump.exe", "psexec.exe"]
      | signal := "gui_process_spawn"
      | *;

    * | drop()
  }
| groupBy(
    [ComputerName],
    function=[
      count(field=signal, distinct=true, as=signal_type_count),
      collect([signal, UserName, RemoteAddressIP4, FileName, CommandLine, ParentBaseFileName, @timestamp])
    ]
  )
| where signal_type_count >= 2
| sort(@timestamp, order=desc)

CrowdStrike LogScale (Falcon NG-SIEM) composite query ingesting both UserLogon (LogonType=10 remote interactive RDP from non-loopback IPs) and ProcessRollup2 (explorer.exe spawning a high-risk child process) events in a single pass. Groups by ComputerName and requires at least 2 distinct signal types to be present, returning only hosts where an RDP session and a GUI-launched suspicious process co-occurred. For strict 60-minute window enforcement, add a post-filter on the min/max @timestamp difference from the collected array. Requires Falcon sensor with Identity Protection telemetry and full process rollup enabled.

high severity high confidence

Data Sources

CrowdStrike Falcon Sensor (EDR process and logon telemetry) Falcon Identity Protection module Falcon Insight XDR

Required Tables

UserLogon ProcessRollup2

False Positives

System administrators logging into servers via RDP and launching PowerShell or cmd.exe from the desktop to perform routine administrative tasks such as patch verification or service restarts
Remote IT support sessions where technicians use RDP to access workstations and run diagnostic tools (whoami, ipconfig, nltest) to investigate domain authentication or network routing issues
Software installation or update processes triggered by users double-clicking installers from a remote desktop session that spawn net.exe or certutil.exe as transient child processes of explorer.exe

Sigma rule & cross-platform mapping

The detection logic for Graphical User Interface (T1061) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1061 Sigma rules on detection.fyi

Platform-specific guides for T1061

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-16 Research depth: deep

References (8)

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Remote Desktop Session with Suspicious Process Execution
Expected signal: Security Event ID 4624 (Logon Type 10) on target host showing source IP 127.0.0.1 (loopback for local test). Sysmon Event ID 1: cmd.exe created with ParentImage=explorer.exe and CommandLine containing whoami, ipconfig, net. Security Event ID 4634/4647 on logoff.
Test 2Windows Run Dialog Command Execution
Expected signal: Sysmon Event ID 1: cmd.exe created with ParentImage=explorer.exe (Run dialog parent). Sysmon Event ID 13: Registry value set under HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU recording the executed command. File creation of gui_test.txt in TEMP.
Test 3RDP Session Discovery Commands via GUI
Expected signal: Sysmon Event ID 1 for cmd.exe spawned by explorer.exe, followed by child processes (whoami.exe, net.exe, ipconfig.exe, systeminfo.exe, tasklist.exe, netstat.exe, nltest.exe, reg.exe). Multiple process creation events within seconds from the same parent PID.
Test 4Explorer File Double-Click Execution via GUI
Expected signal: Sysmon Event ID 11: File creation of update_service.exe in TEMP. Sysmon Event ID 1: calc.exe (renamed update_service.exe) created with ParentImage=explorer.exe. The renamed binary parent-child relationship is a key indicator of GUI double-click execution.
Test 5Enumerate Recent RDP Connection History
Expected signal: Sysmon Event ID 1: reg.exe created with CommandLine querying Terminal Server Client registry paths. Sysmon Event ID 13: Registry value set under HKCU\Software\Microsoft\Terminal Server Client\Default for the simulated connection. Provides evidence of an adversary enumerating RDP history to identify lateral movement targets.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1061 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Graphical User Interface

What is T1061 Graphical User Interface?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1061

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Execution

Popular Detections

What is T1061 Graphical User Interface?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1061

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Execution

Popular Detections

Get new detections in your inbox