Detect Graphical User Interface in CrowdStrike LogScale
Adversaries may use a system's graphical user interface (GUI) during an operation, commonly through a remote interactive session such as Remote Desktop Protocol (RDP), instead of a command-line interpreter. GUI-based interaction allows adversaries to search for information, execute files via mouse double-click, use the Windows Run command, or perform other actions that may be more difficult to monitor than command-line activity. This technique has been deprecated in favor of Remote Services (T1021), but detection of suspicious interactive GUI sessions remains operationally relevant. Key indicators include remote interactive logon events (Logon Type 10), unexpected explorer.exe child processes, Run dialog command usage, and interactive sessions established outside of normal business hours or from unusual source IP addresses.
MITRE ATT&CK
- Tactic
- Execution
- Canonical reference
- https://attack.mitre.org/techniques/T1061/
LogScale Detection Query
#event_simpleName in ["UserLogon", "ProcessRollup2"]
| case {
#event_simpleName = "UserLogon"
| LogonType = 10
| RemoteAddressIP4 != "127.0.0.1"
| RemoteAddressIP4 != "::1"
| NOT UserName = /.*\$$/
| signal := "rdp_interactive_logon"
| *;
#event_simpleName = "ProcessRollup2"
| ParentBaseFileName =~ "explorer.exe"
| FileName in ["cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe",
"wscript.exe", "cscript.exe", "regsvr32.exe", "rundll32.exe",
"msbuild.exe", "certutil.exe", "bitsadmin.exe", "net.exe",
"net1.exe", "whoami.exe", "ipconfig.exe", "nltest.exe",
"wmic.exe", "mimikatz.exe", "procdump.exe", "psexec.exe"]
| signal := "gui_process_spawn"
| *;
* | drop()
}
| groupBy(
[ComputerName],
function=[
count(field=signal, distinct=true, as=signal_type_count),
collect([signal, UserName, RemoteAddressIP4, FileName, CommandLine, ParentBaseFileName, @timestamp])
]
)
| where signal_type_count >= 2
| sort(@timestamp, order=desc)CrowdStrike LogScale (Falcon NG-SIEM) composite query ingesting both UserLogon (LogonType=10 remote interactive RDP from non-loopback IPs) and ProcessRollup2 (explorer.exe spawning a high-risk child process) events in a single pass. Groups by ComputerName and requires at least 2 distinct signal types to be present, returning only hosts where an RDP session and a GUI-launched suspicious process co-occurred. For strict 60-minute window enforcement, add a post-filter on the min/max @timestamp difference from the collected array. Requires Falcon sensor with Identity Protection telemetry and full process rollup enabled.
Data Sources
Required Tables
False Positives & Tuning
- System administrators logging into servers via RDP and launching PowerShell or cmd.exe from the desktop to perform routine administrative tasks such as patch verification or service restarts
- Remote IT support sessions where technicians use RDP to access workstations and run diagnostic tools (whoami, ipconfig, nltest) to investigate domain authentication or network routing issues
- Software installation or update processes triggered by users double-clicking installers from a remote desktop session that spawn net.exe or certutil.exe as transient child processes of explorer.exe
Other platforms for T1061
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Remote Desktop Session with Suspicious Process Execution
Expected signal: Security Event ID 4624 (Logon Type 10) on target host showing source IP 127.0.0.1 (loopback for local test). Sysmon Event ID 1: cmd.exe created with ParentImage=explorer.exe and CommandLine containing whoami, ipconfig, net. Security Event ID 4634/4647 on logoff.
- Test 2Windows Run Dialog Command Execution
Expected signal: Sysmon Event ID 1: cmd.exe created with ParentImage=explorer.exe (Run dialog parent). Sysmon Event ID 13: Registry value set under HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU recording the executed command. File creation of gui_test.txt in TEMP.
- Test 3RDP Session Discovery Commands via GUI
Expected signal: Sysmon Event ID 1 for cmd.exe spawned by explorer.exe, followed by child processes (whoami.exe, net.exe, ipconfig.exe, systeminfo.exe, tasklist.exe, netstat.exe, nltest.exe, reg.exe). Multiple process creation events within seconds from the same parent PID.
- Test 4Explorer File Double-Click Execution via GUI
Expected signal: Sysmon Event ID 11: File creation of update_service.exe in TEMP. Sysmon Event ID 1: calc.exe (renamed update_service.exe) created with ParentImage=explorer.exe. The renamed binary parent-child relationship is a key indicator of GUI double-click execution.
- Test 5Enumerate Recent RDP Connection History
Expected signal: Sysmon Event ID 1: reg.exe created with CommandLine querying Terminal Server Client registry paths. Sysmon Event ID 13: Registry value set under HKCU\Software\Microsoft\Terminal Server Client\Default for the simulated connection. Provides evidence of an adversary enumerating RDP history to identify lateral movement targets.
References (9)
- https://attack.mitre.org/techniques/T1061/
- https://attack.mitre.org/techniques/T1021/001/
- https://en.wikipedia.org/wiki/Run_command
- https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-client-faq
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624
- https://github.com/JPCERTCC/LogonTracer
Unlock Pro Content
Get the full detection package for T1061 including response playbook, investigation guide, and atomic red team tests.