title: Application Window Discovery (T1010)
id: df00tech-t1010
status: experimental
description: "Adversaries may attempt to get a listing of open application windows. Window listings convey information about how the system is used and help adversaries identify potential data sources and security tooling to evade. Malware families including Attor, njRAT, DarkWatchman, Grandoreiro, InvisiMole, and Lazarus Group tooling use this technique to obtain window titles and correlate them with keylogger output, identify running security products by window name, locate cryptocurrency wallets, and determine sandbox environments. Adversaries typically implement this via native Windows API functions (EnumWindows, GetForegroundWindow, FindWindow, GetWindowText from user32.dll), scripting languages using P/Invoke or COM automation, or automation tools such as AutoHotkey and AutoIt. On Linux and macOS, adversaries may use xdotool, wmctrl, or Quartz/Cocoa APIs to achieve equivalent capability."
references:
  - https://attack.mitre.org/techniques/T1010/
  - https://df00tech.com/detections/T1010
author: df00tech
date: 2026/04/13
tags:
  - attack.t1010
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate AutoHotkey or AutoIt scripts used by IT support staff for desktop automation and helpdesk tooling
  - "Screen recording, remote desktop, and accessibility software (e.g., NVDA, JAWS, TeamViewer) that enumerates windows for UI interaction"
  - "Developer tooling such as UI testing frameworks (Selenium WebDriver for Windows, WinAppDriver, TestComplete) that programmatically enumerate windows"
  - Python automation scripts for legitimate RPA (Robotic Process Automation) deployments using pywin32 or pywinauto
  - PowerShell DSC configurations or inventory scripts that query Shell.Application window state
level: medium