T1061 Google Chronicle · YARA-L

Detect Graphical User Interface in Google Chronicle

Adversaries may use a system's graphical user interface (GUI) during an operation, commonly through a remote interactive session such as Remote Desktop Protocol (RDP), instead of a command-line interpreter. GUI-based interaction allows adversaries to search for information, execute files via mouse double-click, use the Windows Run command, or perform other actions that may be more difficult to monitor than command-line activity. This technique has been deprecated in favor of Remote Services (T1021), but detection of suspicious interactive GUI sessions remains operationally relevant. Key indicators include remote interactive logon events (Logon Type 10), unexpected explorer.exe child processes, Run dialog command usage, and interactive sessions established outside of normal business hours or from unusual source IP addresses.

MITRE ATT&CK

Tactic
Execution
Canonical reference
https://attack.mitre.org/techniques/T1061/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1061_rdp_gui_suspicious_process_spawn {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects remote interactive RDP logon followed by a suspicious process spawned from explorer.exe within 60 minutes on the same host — T1061 Graphical User Interface"
    mitre_attack_technique = "T1061"
    mitre_attack_tactic = "Execution"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"

  events:
    $logon.metadata.event_type = "USER_LOGIN"
    $logon.extensions.auth.mechanism = "INTERACTIVE"
    $logon.network.direction = "INBOUND"
    NOT net.ip_in_range_cidr($logon.principal.ip, "127.0.0.0/8")
    NOT net.ip_in_range_cidr($logon.principal.ip, "::1/128")
    NOT re.regex($logon.target.user.userid, `\$$`)

    $proc.metadata.event_type = "PROCESS_LAUNCH"
    re.regex($proc.principal.process.file.full_path, `(?i)explorer\.exe$`)
    (
      re.regex($proc.target.process.file.full_path, `(?i)cmd\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)powershell\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)pwsh\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)mshta\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)wscript\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)cscript\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)regsvr32\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)rundll32\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)msbuild\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)certutil\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)bitsadmin\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)\bnet\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)net1\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)whoami\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)nltest\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)wmic\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)mimikatz\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)procdump\.exe$`) or
      re.regex($proc.target.process.file.full_path, `(?i)psexec\.exe$`)
    )

    $logon.target.hostname = $proc.principal.hostname
    $logon.metadata.event_timestamp.seconds <= $proc.metadata.event_timestamp.seconds
    ($proc.metadata.event_timestamp.seconds - $logon.metadata.event_timestamp.seconds) <= 3600

  condition:
    $logon and $proc
}
high severity high confidence

Google Chronicle YARA-L 2.0 rule correlating USER_LOGIN events (remote interactive INBOUND INTERACTIVE mechanism — RDP) with PROCESS_LAUNCH events where the parent is explorer.exe and the child is a high-risk executable within 60 minutes (3600 seconds) on the same hostname. Uses UDM field model with net.ip_in_range_cidr for loopback exclusion and re.regex for case-insensitive process name matching. Requires Windows Security and Sysmon telemetry ingested into Chronicle via the Chronicle Forwarder or BindPlane agent with Windows normalization enabled.

Data Sources

Google Chronicle SIEMWindows Security Events via Chronicle Forwarder or BindPlaneSysmon events via Chronicle Forwarder or BindPlane with Windows parser

Required Tables

UDM events: USER_LOGINUDM events: PROCESS_LAUNCH

False Positives & Tuning

  • IT administrators performing legitimate remote administration via RDP who launch shells or management consoles from the Windows desktop during scheduled maintenance windows
  • VDI or Citrix environments where all user sessions are remote interactive by design and users routinely double-click desktop applications that spawn cmd.exe or PowerShell as part of normal workflows
  • Monitoring or endpoint management agents running within a user session context that execute diagnostic tools appearing as explorer.exe children in the process tree
Download portable Sigma rule (.yml)

Other platforms for T1061

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Remote Desktop Session with Suspicious Process Execution

    Expected signal: Security Event ID 4624 (Logon Type 10) on target host showing source IP 127.0.0.1 (loopback for local test). Sysmon Event ID 1: cmd.exe created with ParentImage=explorer.exe and CommandLine containing whoami, ipconfig, net. Security Event ID 4634/4647 on logoff.

  2. Test 2Windows Run Dialog Command Execution

    Expected signal: Sysmon Event ID 1: cmd.exe created with ParentImage=explorer.exe (Run dialog parent). Sysmon Event ID 13: Registry value set under HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU recording the executed command. File creation of gui_test.txt in TEMP.

  3. Test 3RDP Session Discovery Commands via GUI

    Expected signal: Sysmon Event ID 1 for cmd.exe spawned by explorer.exe, followed by child processes (whoami.exe, net.exe, ipconfig.exe, systeminfo.exe, tasklist.exe, netstat.exe, nltest.exe, reg.exe). Multiple process creation events within seconds from the same parent PID.

  4. Test 4Explorer File Double-Click Execution via GUI

    Expected signal: Sysmon Event ID 11: File creation of update_service.exe in TEMP. Sysmon Event ID 1: calc.exe (renamed update_service.exe) created with ParentImage=explorer.exe. The renamed binary parent-child relationship is a key indicator of GUI double-click execution.

  5. Test 5Enumerate Recent RDP Connection History

    Expected signal: Sysmon Event ID 1: reg.exe created with CommandLine querying Terminal Server Client registry paths. Sysmon Event ID 13: Registry value set under HKCU\Software\Microsoft\Terminal Server Client\Default for the simulated connection. Provides evidence of an adversary enumerating RDP history to identify lateral movement targets.

Last updated: 2026-04-16 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1061 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1021.001Remote Desktop ProtocolT1021Remote ServicesT1078Valid AccountsT1110Brute ForceT1059.003Windows Command ShellT1059.001PowerShellT1056.001KeyloggingT1113Screen CaptureT1033System Owner/User DiscoveryT1057Process DiscoveryT1547.001Registry Run Keys / Startup Folder

Same Tactic: Execution

Popular Detections