MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1010: Application Window Discovery

Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used. For example, information about application windows could be used identify potential data to collect as well as identifying security tooling (Security Software Discovery) to evade.

Adversaries typically abuse system features for this type of enumeration. For example, they may gather information through native system features such as Command and Scripting Interpreter commands and Native API functions.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

— Monitoring of events with IDs 4103 and 4104 (PowerShell), 4688 (Windows Security Event Log), 1 (Sysmon) where command line input contains 'Get-Process' (or its alias 'gps') with the parameter 'mainWindowTitle' (the letter case may vary). — Monitoring of events related to (execve) xprop (getting all open windows: xprop -root | grep '_NET_CLIENT_LIST_STACKING(WINDOW)', getting a particular window: xprop -id ).

Expert Required. The technique is detected only with the combination of «PT Product + Expert»

Detection

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor for newly executed processes that may attempt to get a listing of open application windows. System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.

Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created).

Analytic 1 - Suspicious Processes

(source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="*WinEventLog:Security" EventCode="4688") | where CommandLine LIKE "%Get-Process%" AND CommandLine LIKE "%mainWindowTitle%"

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments for actions that could be taken to gather system and network information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Note: Commands can also be obtained from Payload event field for PowerShell event id 4103. For PowerShell Module logging event id 4103, enable logging for module Microsoft.PowerShell.Management.

Analytic 1 - Suspicious Commands

source=WinEventLog:"*Microsoft-Windows-PowerShell/Operational" EventCode="4103" | where CommandLine LIKE "%Get-Process%" AND CommandLine LIKE "%mainWindowTitle%"

IDDS0009Data source and componentProcess: OS API ExecutionDescription

Monitor for API calls (such as GetForegroundWindow()) that may attempt to get a listing of open application windows. GetForegroundWindow api returns a handle to the foreground window (the window with which the user is currently working). Other API calls relevant to Local Group discovery include GetProcesses and GetForegroundWindow. GetProcesses api returns an array of type Process that represents all the process resources running on the local computer.

Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. Dynamic malware analysis tools (i.e., sandboxes) can be used to trace the execution, including OS API calls, for a single PE binary.