Skip to content

DET0097 Detection of Application Window Enumeration via API or Scripting

Item Value
ID DET0097
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1010 (Application Window Discovery)

Analytics

Windows

AN0271

Processes using Win32 API calls (e.g., EnumWindows, GetForegroundWindow) or scripting tools (e.g., PowerShell, VBScript) to enumerate open windows. These often appear with reconnaissance or data collection TTPs.

Log Sources
Data Component Name Channel
Process Access (DC0035) WinEventLog:Sysmon EventCode=10
Command Execution (DC0064) WinEventLog:PowerShell EventCode=4103, 4104, 4105, 4106
Mutable Elements
Field Description
AccessedFunction Tune to focus on suspicious function calls (e.g., user32.dll!EnumWindows).
UserContext Detect behavior from non-interactive or low-privileged users where enumeration is uncommon.
TimeWindow Shorten detection scope to rapid successive window enumeration attempts.

Linux

AN0272

Scripted or binary usage of X11 utilities (e.g., xdotool, wmctrl) or direct /proc/*/window mappings to discover open GUI windows and active desktops.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:EXECVE execve
Command Execution (DC0064) linus:syslog None
Mutable Elements
Field Description
ExecutableName Common window management utilities can be tuned to reduce noise (e.g., xprop, xwininfo).
DisplayContext Restrict detection to processes executing under graphical sessions (e.g., DISPLAY=:0).

macOS

AN0273

Processes that utilize AppleScript, CGWindowListCopyWindowInfo, or NSRunningApplication APIs to list active application windows and foreground processes.

Log Sources
Data Component Name Channel
OS API Execution (DC0021) macos:unifiedlog None
Process Creation (DC0032) macos:osquery process_events
Mutable Elements
Field Description
AppleScriptTarget Tunable to ignore benign scripting like automation by known apps.
ParentProcess Useful to suppress expected automation processes.