T1497.002 User Activity Based Checks Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let UserActivityAPIs = dynamic(["GetCursorPos", "GetLastInputInfo", "GetForegroundWindow", "GetAsyncKeyState", "GetKeyState", "mouse_event", "SetCursorPos", "GetDesktopWindow"]);
let UserActivityChecks = dynamic(["RecentDocs", "Recent", "Desktop", "Favorites", "Bookmarks", "History", "Cookies", "Downloads"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (UserActivityAPIs)
    or (FileName in~ ("cmd.exe", "powershell.exe") and ProcessCommandLine has_any ("dir /b", "Get-ChildItem") 
        and ProcessCommandLine has_any ("Desktop", "Recent", "Downloads", "Documents") 
        and ProcessCommandLine has_any ("count", ".Count", "find /c", "Measure-Object"))
    or (FileName =~ "reg.exe" and ProcessCommandLine has "RecentDocs")
| extend MouseCheck = ProcessCommandLine has_any ("GetCursorPos", "GetLastInputInfo", "mouse_event", "SetCursorPos")
| extend WindowCheck = ProcessCommandLine has_any ("GetForegroundWindow", "GetDesktopWindow")
| extend FileCountCheck = ProcessCommandLine has_any ("Desktop", "Recent", "Downloads") and ProcessCommandLine has_any ("count", ".Count", "find /c", "Measure-Object")
| extend RecentDocsCheck = ProcessCommandLine has "RecentDocs"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         MouseCheck, WindowCheck, FileCountCheck, RecentDocsCheck
| sort by Timestamp desc

medium severity low confidence

Data Sources

Process: Process Creation Command: Command Execution Process: OS API Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Accessibility tools and automation software that track mouse position for user interface automation
RPA (Robotic Process Automation) tools like UiPath that monitor user input state
Custom IT scripts that count files in user directories for compliance or cleanup purposes
Screen recording or remote desktop software that tracks input events

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval CommandLine=lower(CommandLine)
| eval MouseActivityCheck=if(match(CommandLine, "(getcursorpos|getlastinputinfo|mouse_event|setcursorpos|getasynckeystate)"), 1, 0)
| eval WindowActivityCheck=if(match(CommandLine, "(getforegroundwindow|getdesktopwindow)"), 1, 0)
| eval FileCountCheck=if(match(CommandLine, "(desktop|recent|downloads|documents)") AND match(CommandLine, "(count|\.count|find /c|measure-object|wc -l)"), 1, 0)
| eval RecentDocsCheck=if(match(CommandLine, "recentdocs"), 1, 0)
| eval BrowserHistoryCheck=if(match(CommandLine, "(history|bookmarks|cookies|places\.sqlite)") AND NOT match(Image, "(?i)(chrome|firefox|msedge|brave|opera)"), 1, 0)
| eval SuspicionScore=MouseActivityCheck*2 + WindowActivityCheck*2 + FileCountCheck + RecentDocsCheck + BrowserHistoryCheck
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, MouseActivityCheck, WindowActivityCheck, FileCountCheck, RecentDocsCheck, BrowserHistoryCheck, SuspicionScore
| sort - _time

medium severity low confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Accessibility and automation software tracking mouse position
RPA tools monitoring user input state
IT scripts counting files for compliance/cleanup
Remote desktop and screen sharing software

Elastic Security (EQL)

eql

process where event.type == "start" and (
  process.command_line regex~ "(?i)(getcursorpos|getlastinputinfo|mouse_event|setcursorpos|getasynckeystate|getforegroundwindow|getdesktopwindow)"
  or (
    process.name in~ ("cmd.exe", "powershell.exe") and
    process.command_line regex~ "(?i)(desktop|recent|downloads|documents)" and
    process.command_line regex~ "(?i)(count|\\.count|find /c|measure-object)"
  )
  or (
    process.name like~ "reg.exe" and
    process.command_line like~ "*recentdocs*"
  )
  or (
    process.command_line regex~ "(?i)(history|bookmarks|cookies|places\\.sqlite)" and
    not process.name regex~ "(?i)(chrome|firefox|msedge|brave|opera)\\.exe"
  )
)

medium severity medium confidence

Data Sources

Elastic Endpoint Security agent Winlogbeat with Sysmon module (EventID 1) Auditbeat process dataset

Required Tables

logs-endpoint.events.process-* winlogbeat-* .ds-logs-system.security-*

False Positives

Legitimate GUI automation frameworks such as AutoHotkey, AutoIt, PyAutoGUI, or Sikuli that invoke GetCursorPos or mouse_event Win32 APIs for UI testing pipelines
IT administrator PowerShell scripts that count files in Desktop, Recent, or Downloads folders for storage quota audits or user profile cleanup routines
Endpoint DLP or UEBA agents that inspect browser history and bookmark paths to enforce data governance or insider threat detection policies

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  LOGSOURCETYPENAME(devicetype) AS source_type,
  username,
  sourceip,
  "Process Name" AS process_name,
  "Command Line" AS command_line,
  "Parent Process Name" AS parent_process_name,
  CASE WHEN LOWER("Command Line") MATCHES '(?i).*(getcursorpos|getlastinputinfo|mouse_event|setcursorpos|getasynckeystate).*' THEN 1 ELSE 0 END AS mouse_check,
  CASE WHEN LOWER("Command Line") MATCHES '(?i).*(getforegroundwindow|getdesktopwindow).*' THEN 1 ELSE 0 END AS window_check,
  CASE WHEN LOWER("Command Line") MATCHES '(?i).*(desktop|recent|downloads|documents).*'
    AND LOWER("Command Line") MATCHES '(?i).*(count|\.count|find /c|measure-object|wc -l).*' THEN 1 ELSE 0 END AS file_count_check,
  CASE WHEN LOWER("Command Line") MATCHES '(?i).*recentdocs.*' THEN 1 ELSE 0 END AS recentdocs_check,
  CASE WHEN LOWER("Command Line") MATCHES '(?i).*(history|bookmarks|cookies|places\.sqlite).*'
    AND NOT LOWER("Process Name") MATCHES '(?i).*(chrome|firefox|msedge|brave|opera).*' THEN 1 ELSE 0 END AS browser_history_check
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND (
    LOWER("Command Line") MATCHES '(?i).*(getcursorpos|getlastinputinfo|mouse_event|setcursorpos|getasynckeystate|getforegroundwindow|getdesktopwindow).*'
    OR (
      LOWER("Process Name") IN ('cmd.exe', 'powershell.exe')
      AND LOWER("Command Line") MATCHES '(?i).*(desktop|recent|downloads|documents).*'
      AND LOWER("Command Line") MATCHES '(?i).*(count|\.count|find /c|measure-object).*'
    )
    OR LOWER("Command Line") MATCHES '(?i).*recentdocs.*'
    OR (
      LOWER("Command Line") MATCHES '(?i).*(history|bookmarks|cookies|places\.sqlite).*'
      AND NOT LOWER("Process Name") MATCHES '(?i).*(chrome|firefox|msedge|brave|opera).*'
    )
  )
LAST 24 HOURS
ORDER BY devicetime DESC

medium severity medium confidence

Data Sources

Microsoft Windows Security Event Log (EventID 4688 with command line auditing enabled) Sysmon via Windows Event Log DSM (EventID 1)

Required Tables

events

False Positives

RPA platforms such as UiPath, Blue Prism, or Automation Anywhere that use Win32 mouse and keyboard APIs during attended or unattended automation workflows
RMM agents such as ConnectWise Automate or Datto RMM executing PowerShell scripts that enumerate file counts in standard user profile directories for capacity reporting
Security awareness training or phishing simulation platforms that scan browser history or cookie stores to personalise lure content in authorised simulation campaigns

Sumo Logic CSE

sql

_sourceCategory=*windows*sysmon* OR _sourceCategory=*wineventlog*security*
| where EventID = 1 OR EventCode = 1
| parse regex "(?i)<Data Name='CommandLine'>(?<CommandLine>[^<]+)" nodrop
| parse regex "(?i)<Data Name='Image'>(?<Image>[^<]+)" nodrop
| parse regex "(?i)<Data Name='ParentImage'>(?<ParentImage>[^<]+)" nodrop
| parse regex "(?i)<Data Name='User'>(?<User>[^<]+)" nodrop
| parse regex "(?i)<Data Name='ParentCommandLine'>(?<ParentCommandLine>[^<]+)" nodrop
| eval cmd_lower = toLowerCase(CommandLine)
| eval img_lower = toLowerCase(Image)
| eval mouse_check = if(matches(cmd_lower, "(?i)(getcursorpos|getlastinputinfo|mouse_event|setcursorpos|getasynckeystate)"), 1, 0)
| eval window_check = if(matches(cmd_lower, "(?i)(getforegroundwindow|getdesktopwindow)"), 1, 0)
| eval file_count_check = if(matches(cmd_lower, "(?i)(desktop|recent|downloads|documents)") and matches(cmd_lower, "(?i)(count|\.count|find /c|measure-object|wc -l)"), 1, 0)
| eval recentdocs_check = if(matches(cmd_lower, "(?i)recentdocs"), 1, 0)
| eval browser_history_check = if(matches(cmd_lower, "(?i)(history|bookmarks|cookies|places\.sqlite)") and !matches(img_lower, "(?i)(chrome|firefox|msedge|brave|opera)\.exe"), 1, 0)
| eval suspicion_score = (mouse_check * 2) + (window_check * 2) + file_count_check + recentdocs_check + browser_history_check
| where suspicion_score > 0
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, mouse_check, window_check, file_count_check, recentdocs_check, browser_history_check, suspicion_score
| sort by _messageTime desc

medium severity medium confidence

Data Sources

Sumo Logic Sysmon App (Windows Sysmon EventID 1) Windows Security Event Log with process creation auditing and command line capture (EventID 4688)

Required Tables

_sourceCategory=*windows*sysmon* _sourceCategory=*wineventlog*security*

False Positives

Legitimate Robotic Process Automation workflows using AutoHotkey, Sikuli, or WinAppDriver that programmatically invoke mouse and window Win32 APIs during UI-driven automation
Scheduled PowerShell tasks executed by endpoint management tooling that count files in Desktop or Downloads directories as part of periodic housekeeping or telemetry collection
Browser migration utilities or password managers that read browser history, cookies, or bookmarks paths during profile import or credential synchronisation operations

Google Chronicle / SecOps

yaral

rule t1497_002_user_activity_based_checks {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects user activity enumeration techniques used to identify sandbox or VM analysis environments (T1497.002). Covers mouse Win32 API calls, window handle checks, user directory file count operations, RecentDocs registry access, and browser data path access by non-browser processes."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1497.002"
    severity = "MEDIUM"
    priority = "MEDIUM"
    reference = "https://attack.mitre.org/techniques/T1497/002/"
    created = "2026-04-14"
    version = "1.0"
    yara_l_version = "2.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.command_line != ""
    (
      re.regex($e.target.process.command_line, `(?i)(getcursorpos|getlastinputinfo|mouse_event|setcursorpos|getasynckeystate|getforegroundwindow|getdesktopwindow)`)
      or (
        re.regex($e.target.process.file.full_path, `(?i)(cmd\.exe|powershell\.exe)$`) and
        re.regex($e.target.process.command_line, `(?i)(desktop|recent|downloads|documents)`) and
        re.regex($e.target.process.command_line, `(?i)(count|\.count|find /c|measure-object)`)
      )
      or (
        re.regex($e.target.process.file.full_path, `(?i)reg\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)recentdocs`)
      )
      or (
        re.regex($e.target.process.command_line, `(?i)(history|bookmarks|cookies|places\.sqlite)`) and
        not re.regex($e.target.process.file.full_path, `(?i)(chrome|firefox|msedge|brave|opera)\.exe$`)
      )
    )

  condition:
    $e
}

medium severity medium confidence

Data Sources

Google Chronicle via Windows event log forwarder Chronicle Unified Data Model endpoint telemetry (PROCESS_LAUNCH events) BindPlane or Ops Agent forwarding Sysmon EventID 1

Required Tables

UDM entity graph — PROCESS_LAUNCH event type

False Positives

Authorised GUI automation scripts using AutoHotkey, PyAutoGUI, or similar tools that legitimately call GetCursorPos or SetCursorPos APIs as part of scheduled UI testing
IT helpdesk or endpoint management scripts that count files in user profile directories (Desktop, Downloads, Recent) for storage reporting or profile size enforcement
Browser profile migration utilities or enterprise credential vault tools that access browser history or cookie directory paths during onboarding or synchronisation

CrowdStrike LogScale (CQL)

cql

#event_simpleName = ProcessRollup2
| CommandLine = /(?i)(getcursorpos|getlastinputinfo|mouse_event|setcursorpos|getasynckeystate|getforegroundwindow|getdesktopwindow|recentdocs)/
  or (
    FileName = /(?i)^(cmd\.exe|powershell\.exe)$/
    and CommandLine = /(?i)(desktop|recent|downloads|documents)/
    and CommandLine = /(?i)(count|\.count|find\/c|measure-object)/
  )
  or (
    CommandLine = /(?i)(history|bookmarks|cookies|places\.sqlite)/
    and not FileName = /(?i)^(chrome\.exe|firefox\.exe|msedge\.exe|brave\.exe|opera\.exe)$/
  )
| mouse_check := if(CommandLine = /(?i)(getcursorpos|getlastinputinfo|mouse_event|setcursorpos|getasynckeystate)/, 1, 0)
| window_check := if(CommandLine = /(?i)(getforegroundwindow|getdesktopwindow)/, 1, 0)
| file_count_check := if(
    CommandLine = /(?i)(desktop|recent|downloads|documents)/
    and CommandLine = /(?i)(count|\.count|find\/c|measure-object)/,
    1, 0
  )
| recentdocs_check := if(CommandLine = /(?i)recentdocs/, 1, 0)
| browser_history_check := if(
    CommandLine = /(?i)(history|bookmarks|cookies|places\.sqlite)/
    and not FileName = /(?i)^(chrome\.exe|firefox\.exe|msedge\.exe|brave\.exe|opera\.exe)$/,
    1, 0
  )
| suspicion_score := (mouse_check * 2) + (window_check * 2) + file_count_check + recentdocs_check + browser_history_check
| suspicion_score > 0
| table([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, mouse_check, window_check, file_count_check, recentdocs_check, browser_history_check, suspicion_score])
| sort(timestamp, order=desc)

medium severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint sensor (ProcessRollup2 events) Falcon LogScale via Falcon Data Replicator or direct ingest

Required Tables

ProcessRollup2

False Positives

Authorised red team or penetration testing engagements where post-exploitation frameworks (Cobalt Strike, Metasploit) execute user-simulation modules that invoke mouse activity APIs
Enterprise endpoint management or RMM agents running PowerShell inventory scripts that enumerate file counts in Desktop or Downloads folders for asset management telemetry
Password managers or SSO desktop clients (1Password, LastPass, Okta Verify) that read browser cookie or history paths during credential auto-fill or profile discovery operations

User Activity Based Checks

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections