title: Graphical User Interface (T1061)
id: df00tech-t1061
status: experimental
description: "Adversaries may use a system's graphical user interface (GUI) during an operation, commonly through a remote interactive session such as Remote Desktop Protocol (RDP), instead of a command-line interpreter. GUI-based interaction allows adversaries to search for information, execute files via mouse double-click, use the Windows Run command, or perform other actions that may be more difficult to monitor than command-line activity. This technique has been deprecated in favor of Remote Services (T1021), but detection of suspicious interactive GUI sessions remains operationally relevant. Key indicators include remote interactive logon events (Logon Type 10), unexpected explorer.exe child processes, Run dialog command usage, and interactive sessions established outside of normal business hours or from unusual source IP addresses."
references:
  - https://attack.mitre.org/techniques/T1061/
  - https://df00tech.com/detections/T1061
author: df00tech
date: 2026/04/16
tags:
  - attack.t1061
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate remote administration by IT staff connecting via RDP to manage servers and workstations
  - "Help desk personnel using remote desktop to assist end users, spawning diagnostic tools like cmd.exe or PowerShell"
  - Developers using interactive RDP sessions on build servers and launching development tools via GUI
  - Jump box or bastion host users who routinely access systems interactively and run standard administrative commands
level: medium