Keypoints
- Enumerates open windows to map active applications and user activity.
- Uses native APIs and scripting to list window titles and process associations.
- Helps attackers find sensitive documents, credential prompts, or unattended sessions.
- Can indicate presence of security tools by revealing UI elements or process names.
- Detection relies on monitoring process calls, command lines, and API usage patterns.
Description:
- Like someone scanning a room to see which doors are open and whatβs inside, Application Window Discovery lets an attacker quickly spot visible documents, running apps, and security interfaces without breaking anything.
- Adversaries call native APIs or run scripts to list window titles and associated processes. This reveals where valuable data or security controls are located, enabling targeted collection, credential harvesting, or evasion and informing follow-on actions.
Detection:
- Log and alert on processes invoking window-enumeration APIs (e.g., EnumWindows, GetWindowText) using host EDR or syscall monitoring tools.
- Monitor command lines and script activity for tooling or PowerShell commands that query UI state or call UI automation modules.
- Watch for suspicious use of remote access tools that enumerate windows as part of reconnaissance; correlate with atypical sessions or source IPs.
- Collect and analyze WMI and PowerShell logs for queries that may retrieve window or process metadata; enable PowerShell Module Logging and Script Block Logging.
- Instrument OS API call tracing on endpoints of interest to capture direct native API use; use syscall-level telemetry to reduce false positives from common apps.
- Correlate window-discovery events with later data-access or exfiltration behaviors to identify reconnaissance chains rather than isolated benign activity.
- Employ baseline profiling to reduce false positives: document normal window-enumeration patterns for business apps and flag deviations or new tooling usage.
Tactics:
Discovery
Platforms:
Linux, Windows, macOS
Data Sources:
Command: Command Execution, Process: OS API Execution, Process: Process Creation
Relationship Citations:
(Citation: Volexity PowerDuke November 2016),(Citation: NTT Security Flagpro new December 2021),(Citation: FireEye Metamorfo Apr 2018),(Citation: Prevailion DarkWatchman 2021),(Citation: Ensilo Darkgate 2018),(Citation: ESET InvisiMole June 2020),(Citation: Symantec Chafer Dec 2015),(Citation: TrendMicro BlackTech June 2017),(Citation: ATT QakBot April 2021),(Citation: Novetta Blockbuster),(Citation: Novetta Blockbuster Tools),(Citation: Carbon Black HotCroissant April 2020),(Citation: Symantec Darkmoon Aug 2005),(Citation: Symantec W32.Duqu),(Citation: Talos ROKRAT),(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024),(Citation: FireEye APT37 Feb 2018),(Citation: SecureWorks August 2019),(Citation: Google Cloud APT41 2024),(Citation: Secureworks Karagany July 2019),(Citation: ESET InvisiMole June 2018),(Citation: ESET Machete July 2019),(Citation: Fidelis njRAT June 2013),(Citation: Symantec Catchamas April 2018),(Citation: ESET Grandoreiro April 2020),(Citation: Unit 42 Kazuar May 2017),(Citation: ESET Attor Oct 2019),(Citation: GitHub SILENTTRINITY Modules July 2019),(Citation: Red Canary NETWIRE January 2020),(Citation: Bitdefender FunnyDream Campaign November 2020),(Citation: FireEye APT32 May 2017),(Citation: CheckPoint Naikon May 2020),(Citation: Novetta Blockbuster Loaders),(Citation: MoustachedBouncer ESET August 2023),(Citation: Fortinet Metamorfo Feb 2020),(Citation: Securelist Remexi Jan 2019),(Citation: Kaspersky NetTraveler),
Read More: https://attack.mitre.org/techniques/T1010