T1061 Graphical User Interface Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1061 - Graphical User Interface: Detect suspicious remote interactive (RDP) sessions and GUI-based execution patterns
let SuspiciousGUIProcesses = dynamic([
  "cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe", "wscript.exe", "cscript.exe",
  "regsvr32.exe", "rundll32.exe", "msbuild.exe", "certutil.exe", "bitsadmin.exe",
  "net.exe", "net1.exe", "whoami.exe", "ipconfig.exe", "nltest.exe",
  "mimikatz.exe", "procdump.exe", "psexec.exe", "wmic.exe"
]);
let RunDialogIndicators = dynamic([
  "shell:startup", "shell:common startup", "%temp%", "%appdata%",
  "cmd /c", "powershell", "wscript", "cscript", "mshta"
]);
// Branch 1: Remote interactive logon events (Logon Type 10 = RemoteInteractive)
let RemoteInteractiveLogons = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4624
| where LogonType == 10
| where AccountName !endswith "$"
| where IpAddress != "-" and IpAddress != "127.0.0.1" and IpAddress != "::1"
| extend SessionType = "RemoteInteractive_RDP"
| project TimeGenerated, Computer, AccountName, AccountDomain, LogonType,
          IpAddress, IpPort, LogonProcessName, AuthenticationPackageName, SessionType;
// Branch 2: Suspicious processes spawned by explorer.exe (GUI double-click or Run dialog)
let ExplorerSpawnedSuspicious = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "explorer.exe"
| where FileName in~ (SuspiciousGUIProcesses)
| extend SessionType = "GUI_ExplorerChild"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, SessionType;
// Branch 3: Run dialog (RunDlg32) invocations with suspicious content
let RunDialogExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "explorer.exe"
| where FileName in~ ("rundll32.exe")
| where ProcessCommandLine has_all ("shell32.dll", "RunDlg32")
| extend SessionType = "RunDialog_Launch"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, SessionType;
// Combine results
RemoteInteractiveLogons
| join kind=inner (
    ExplorerSpawnedSuspicious
    | extend TimeGenerated = Timestamp
    | union (RunDialogExecution | extend TimeGenerated = Timestamp)
) on $left.Computer == $right.DeviceName
| where datetime_diff('minute', TimeGenerated1, TimeGenerated) between (0 .. 60)
| project TimeGenerated, Computer, AccountName, IpAddress,
          SpawnedProcess = FileName, CommandLine = ProcessCommandLine,
          ParentProcess = InitiatingProcessFileName, SessionType, SessionType1
| sort by TimeGenerated desc

medium severity medium confidence

Data Sources

Logon Session: Logon Session Creation Process: Process Creation Network Traffic: Network Connection Creation Windows Security Event Log

Required Tables

SecurityEvent DeviceProcessEvents

False Positives

Legitimate remote administration by IT staff connecting via RDP to manage servers and workstations
Help desk personnel using remote desktop to assist end users, spawning diagnostic tools like cmd.exe or PowerShell
Developers using interactive RDP sessions on build servers and launching development tools via GUI
Jump box or bastion host users who routinely access systems interactively and run standard administrative commands

Splunk

spl

| union
[
  search index=wineventlog sourcetype="WinEventLog:Security" EventCode=4624 Logon_Type=10
  | eval event_type="remote_interactive_logon"
  | eval src_ip=Source_Network_Address
  | where src_ip != "-" AND src_ip != "127.0.0.1" AND src_ip != "::1"
  | where NOT match(Account_Name, "\$$")
  | eval logon_time=_time
  | table _time, host, Account_Name, Account_Domain, Logon_Type, src_ip, src_port, event_type, logon_time
],
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (ParentImage="*\\explorer.exe")
    (Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\mshta.exe"
     OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\regsvr32.exe"
     OR Image="*\\rundll32.exe" OR Image="*\\certutil.exe" OR Image="*\\net.exe"
     OR Image="*\\whoami.exe" OR Image="*\\nltest.exe" OR Image="*\\wmic.exe"
     OR Image="*\\mimikatz.exe" OR Image="*\\procdump.exe" OR Image="*\\psexec.exe")
  | eval event_type="gui_spawned_suspicious_process"
  | eval process_time=_time
  | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, event_type, process_time
]
| eval normed_host=lower(host)
| stats
    values(src_ip) as src_ips,
    values(Account_Name) as logon_accounts,
    values(Image) as spawned_processes,
    values(CommandLine) as command_lines,
    values(event_type) as event_types,
    min(logon_time) as first_logon,
    min(process_time) as first_process,
    count by normed_host
| eval time_delta_minutes=round((first_process - first_logon) / 60, 1)
| where time_delta_minutes >= 0 AND time_delta_minutes <= 60
| where mvcount(event_types) > 1
| table normed_host, src_ips, logon_accounts, spawned_processes, command_lines,
         first_logon, first_process, time_delta_minutes, count
| sort - count

medium severity medium confidence

Data Sources

Logon Session: Logon Session Creation Process: Process Creation Windows Security Event Log Sysmon Event ID 1 Sysmon Event ID 4624

Required Sourcetypes

WinEventLog:Security XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate IT administrators using RDP to remote into systems and then launching administrative tools via GUI shortcuts or Start menu
Automated RDP-based provisioning or configuration management solutions that launch tools interactively
Help desk staff performing interactive troubleshooting via remote desktop sessions and running diagnostic utilities
Software testers running GUI-based test automation that connects via RDP and executes command-line tooling

Elastic Security (EQL)

eql

sequence by host.name with maxspan=60m
  [authentication where
   event.code == "4624" and
   winlog.event_data.LogonType == "10" and
   source.ip != null and
   source.ip != "127.0.0.1" and
   source.ip != "::1" and
   not user.name like~ "*$"]
  [process where
   event.type == "start" and
   process.parent.name like~ "explorer.exe" and
   process.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe",
                     "wscript.exe", "cscript.exe", "regsvr32.exe", "rundll32.exe",
                     "msbuild.exe", "certutil.exe", "bitsadmin.exe", "net.exe",
                     "net1.exe", "whoami.exe", "ipconfig.exe", "nltest.exe",
                     "mimikatz.exe", "procdump.exe", "psexec.exe", "wmic.exe")]

high severity high confidence

Data Sources

Windows Security Event Logs via Winlogbeat or Elastic Agent Windows Sysmon via Winlogbeat or Elastic Agent Elastic Endpoint Security (logs-endpoint.events.*)

Required Tables

logs-endpoint.events.process-* logs-system.security-* winlogbeat-*

False Positives

IT administrators who regularly RDP into servers and launch PowerShell or cmd.exe from the desktop or Start menu for legitimate maintenance tasks during business hours
Help desk staff connecting via remote interactive sessions to user workstations and opening diagnostic tools (ipconfig, nltest) through the Windows GUI to troubleshoot connectivity issues
Software deployment or configuration management agents (SCCM, Ansible, SaltStack) that establish remote interactive sessions and trigger installer processes as explorer.exe children during scheduled maintenance windows

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  devicehostname AS hostname,
  username,
  sourceip,
  QIDNAME(qid) AS event_name,
  "EventID" AS event_id,
  "LogonType" AS logon_type,
  "ParentProcessName" AS parent_process,
  "ProcessName" AS spawned_process,
  "CommandLine" AS command_line
FROM events
WHERE LOGSOURCETYPEID IN (12, 13, 184)
  AND (
    (
      "EventID" = '4624'
      AND "LogonType" = '10'
      AND sourceip NOT IN ('127.0.0.1', '::1', '-', '')
      AND username NOT LIKE '%$'
    )
    OR
    (
      "EventID" = '1'
      AND "ParentProcessName" ILIKE '%\\explorer.exe'
      AND (
        "ProcessName" ILIKE '%\\cmd.exe'
        OR "ProcessName" ILIKE '%\\powershell.exe'
        OR "ProcessName" ILIKE '%\\pwsh.exe'
        OR "ProcessName" ILIKE '%\\mshta.exe'
        OR "ProcessName" ILIKE '%\\wscript.exe'
        OR "ProcessName" ILIKE '%\\cscript.exe'
        OR "ProcessName" ILIKE '%\\regsvr32.exe'
        OR "ProcessName" ILIKE '%\\rundll32.exe'
        OR "ProcessName" ILIKE '%\\msbuild.exe'
        OR "ProcessName" ILIKE '%\\certutil.exe'
        OR "ProcessName" ILIKE '%\\bitsadmin.exe'
        OR "ProcessName" ILIKE '%\\net.exe'
        OR "ProcessName" ILIKE '%\\net1.exe'
        OR "ProcessName" ILIKE '%\\whoami.exe'
        OR "ProcessName" ILIKE '%\\nltest.exe'
        OR "ProcessName" ILIKE '%\\wmic.exe'
        OR "ProcessName" ILIKE '%\\mimikatz.exe'
        OR "ProcessName" ILIKE '%\\procdump.exe'
        OR "ProcessName" ILIKE '%\\psexec.exe'
      )
    )
  )
ORDER BY event_time DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Event Logs via WinCollect agent or syslog forwarding Microsoft Sysmon via WinCollect agent (LOGSOURCETYPEID 184)

Required Tables

events

False Positives

Administrators using RDP to access workstations or servers and launching administrative tools such as PowerShell or cmd.exe from the Windows Start menu or taskbar during normal working hours
Automated patch management or IT ops tooling (SCCM, PDQ Deploy) that connects interactively via RDP and executes scripts using explorer.exe child processes during maintenance windows
User support sessions where technicians remote in via RDP and open diagnostic utilities (ipconfig, nltest) to troubleshoot network connectivity or domain authentication issues

Sumo Logic CSE

sql

(_sourceCategory=*windows*security* OR _sourceCategory=*sysmon* OR _sourceCategory=*wineventlog*)
| where (EventCode = "4624" AND LogonType = "10"
         AND !(Account_Name matches "*$")
         AND Source_Network_Address != "127.0.0.1"
         AND Source_Network_Address != "::1"
         AND Source_Network_Address != "-")
   OR (EventCode = "1"
       AND ParentImage matches "*\\explorer.exe"
       AND (Image matches "*\\cmd.exe"
            OR Image matches "*\\powershell.exe"
            OR Image matches "*\\pwsh.exe"
            OR Image matches "*\\mshta.exe"
            OR Image matches "*\\wscript.exe"
            OR Image matches "*\\cscript.exe"
            OR Image matches "*\\regsvr32.exe"
            OR Image matches "*\\rundll32.exe"
            OR Image matches "*\\msbuild.exe"
            OR Image matches "*\\certutil.exe"
            OR Image matches "*\\bitsadmin.exe"
            OR Image matches "*\\net.exe"
            OR Image matches "*\\net1.exe"
            OR Image matches "*\\whoami.exe"
            OR Image matches "*\\nltest.exe"
            OR Image matches "*\\wmic.exe"
            OR Image matches "*\\mimikatz.exe"
            OR Image matches "*\\procdump.exe"
            OR Image matches "*\\psexec.exe"))
| eval event_type = if(EventCode = "4624", "rdp_logon", "gui_process_spawn")
| eval normalized_host = toLowerCase(Computer)
| timeslice 1h
| stats
    countif(event_type = "rdp_logon") as rdp_logon_count,
    countif(event_type = "gui_process_spawn") as process_spawn_count,
    values(Source_Network_Address) as src_ips,
    values(Account_Name) as logon_accounts,
    values(Image) as spawned_processes,
    values(CommandLine) as command_lines
    by normalized_host, _timeslice
| where rdp_logon_count > 0 AND process_spawn_count > 0
| sort by _timeslice desc

high severity high confidence

Data Sources

Sumo Logic Installed Collector on Windows endpoints Windows Security Event Logs (WinEventLog:Security) Sysmon operational logs (XmlWinEventLog:Microsoft-Windows-Sysmon/Operational)

Required Tables

Windows Security log source categories Sysmon log source categories

False Positives

IT admins connecting via RDP and opening PowerShell or cmd.exe from the Start menu or desktop for system administration tasks within the same hour timeslice
VDI or Remote Desktop Services (RDS) environments where all user sessions are inherently remote interactive and users regularly launch tools from explorer.exe throughout the workday
Automated deployment pipelines that establish remote interactive sessions and invoke build or configuration scripts as explorer.exe children during scheduled maintenance windows

Google Chronicle / SecOps

yaral

rule t1061_rdp_gui_suspicious_process_spawn {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects remote interactive RDP logon followed by a suspicious process spawned from explorer.exe within 60 minutes on the same host — T1061 Graphical User Interface"
    mitre_attack_technique = "T1061"
    mitre_attack_tactic = "Execution"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"

  events:
    $logon.metadata.event_type = "USER_LOGIN"
    $logon.extensions.auth.mechanism = "INTERACTIVE"
    $logon.network.direction = "INBOUND"
    NOT net.ip_in_range_cidr($logon.principal.ip, "127.0.0.0/8")
    NOT net.ip_in_range_cidr($logon.principal.ip, "::1/128")
    NOT re.regex($logon.target.user.userid, `\$$`)

    $proc.metadata.event_type = "PROCESS_LAUNCH"
    re.regex($proc.principal.process.file.full_path, `(?i)explorer\.exe$`)
    (
      re.regex($proc.target.process.file.full_path, `(?i)cmd\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)powershell\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)pwsh\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)mshta\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)wscript\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)cscript\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)regsvr32\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)rundll32\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)msbuild\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)certutil\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)bitsadmin\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)\bnet\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)net1\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)whoami\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)nltest\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)wmic\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)mimikatz\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)procdump\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)psexec\.exe$`)
    )

    $logon.target.hostname = $proc.principal.hostname
    $logon.metadata.event_timestamp.seconds <= $proc.metadata.event_timestamp.seconds
    ($proc.metadata.event_timestamp.seconds - $logon.metadata.event_timestamp.seconds) <= 3600

  condition:
    $logon and $proc
}

high severity high confidence

Data Sources

Google Chronicle SIEM Windows Security Events via Chronicle Forwarder or BindPlane Sysmon events via Chronicle Forwarder or BindPlane with Windows parser

Required Tables

UDM events: USER_LOGIN UDM events: PROCESS_LAUNCH

False Positives

IT administrators performing legitimate remote administration via RDP who launch shells or management consoles from the Windows desktop during scheduled maintenance windows
VDI or Citrix environments where all user sessions are remote interactive by design and users routinely double-click desktop applications that spawn cmd.exe or PowerShell as part of normal workflows
Monitoring or endpoint management agents running within a user session context that execute diagnostic tools appearing as explorer.exe children in the process tree

CrowdStrike LogScale (CQL)

cql

#event_simpleName in ["UserLogon", "ProcessRollup2"]
| case {
    #event_simpleName = "UserLogon"
      | LogonType = 10
      | RemoteAddressIP4 != "127.0.0.1"
      | RemoteAddressIP4 != "::1"
      | NOT UserName = /.*\$$/
      | signal := "rdp_interactive_logon"
      | *;

    #event_simpleName = "ProcessRollup2"
      | ParentBaseFileName =~ "explorer.exe"
      | FileName in ["cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe",
                     "wscript.exe", "cscript.exe", "regsvr32.exe", "rundll32.exe",
                     "msbuild.exe", "certutil.exe", "bitsadmin.exe", "net.exe",
                     "net1.exe", "whoami.exe", "ipconfig.exe", "nltest.exe",
                     "wmic.exe", "mimikatz.exe", "procdump.exe", "psexec.exe"]
      | signal := "gui_process_spawn"
      | *;

    * | drop()
  }
| groupBy(
    [ComputerName],
    function=[
      count(field=signal, distinct=true, as=signal_type_count),
      collect([signal, UserName, RemoteAddressIP4, FileName, CommandLine, ParentBaseFileName, @timestamp])
    ]
  )
| where signal_type_count >= 2
| sort(@timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Sensor (EDR process and logon telemetry) Falcon Identity Protection module Falcon Insight XDR

Required Tables

UserLogon ProcessRollup2

False Positives

System administrators logging into servers via RDP and launching PowerShell or cmd.exe from the desktop to perform routine administrative tasks such as patch verification or service restarts
Remote IT support sessions where technicians use RDP to access workstations and run diagnostic tools (whoami, ipconfig, nltest) to investigate domain authentication or network routing issues
Software installation or update processes triggered by users double-clicking installers from a remote desktop session that spawn net.exe or certutil.exe as transient child processes of explorer.exe

Graphical User Interface

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Execution

Popular Detections