Description
Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling (Security Software Discovery) to evade.(Citation: ESET Grandoreiro April 2020)
Adversaries typically abuse system features for this type of enumeration. For example, they may gather information through native system features such as Command and Scripting Interpreter commands and Native API functions.
Platforms
Threat Groups (3)
| ID | Group | Context |
|---|---|---|
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) malware IndiaIndia obtains and sends to its C2 server the title of the window for each running ... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has collected window title information from compromised systems.(Citation: CISA AA24-038A PRC C... |
| G1001 | HEXANE | [HEXANE](https://attack.mitre.org/groups/G1001) has used a PowerShell-based keylogging tool to capture the window title.(Citation: SecureWorks August ... |
Associated Software (34)
| ID | Name | Type | Context |
|---|---|---|---|
| S0438 | Attor | Malware | [Attor](https://attack.mitre.org/software/S0438) can obtain application window titles and then determines which windows to perform Screen Capture on.(... |
| S0033 | NetTraveler | Malware | [NetTraveler](https://attack.mitre.org/software/S0033) reports window names along with keylogger information to provide application context.(Citation:... |
| S0454 | Cadelspy | Malware | [Cadelspy](https://attack.mitre.org/software/S0454) has the ability to identify open windows on the compromised host.(Citation: Symantec Chafer Dec 20... |
| S0696 | Flagpro | Malware | [Flagpro](https://attack.mitre.org/software/S0696) can check the name of the window displayed on the system.(Citation: NTT Security Flagpro new Decemb... |
| S0385 | njRAT | Malware | [njRAT](https://attack.mitre.org/software/S0385) gathers information about opened windows during the initial infection.(Citation: Fidelis njRAT June 2... |
| S0094 | Trojan.Karagany | Malware | [Trojan.Karagany](https://attack.mitre.org/software/S0094) can monitor the titles of open windows to identify specific keywords.(Citation: Secureworks... |
| S1111 | DarkGate | Malware | [DarkGate](https://attack.mitre.org/software/S1111) will search for cryptocurrency wallets by examining application window names for specific strings.... |
| S0673 | DarkWatchman | Malware | [DarkWatchman](https://attack.mitre.org/software/S0673) reports window names along with keylogger information to provide application context.(Citation... |
| S0139 | PowerDuke | Malware | [PowerDuke](https://attack.mitre.org/software/S0139) has a command to get text of the current foreground window.(Citation: Volexity PowerDuke November... |
| S0260 | InvisiMole | Malware | [InvisiMole](https://attack.mitre.org/software/S0260) can enumerate windows and child windows on a compromised host.(Citation: ESET InvisiMole June 20... |
| S0456 | Aria-body | Malware | [Aria-body](https://attack.mitre.org/software/S0456) has the ability to identify the titles of running windows on a compromised host.(Citation: CheckP... |
| S0531 | Grandoreiro | Malware | [Grandoreiro](https://attack.mitre.org/software/S0531) can identify installed security tools based on window names.(Citation: ESET Grandoreiro April 2... |
| S1239 | TONESHELL | Malware | [TONESHELL](https://attack.mitre.org/software/S1239) has used `GetForegroundWindow` to detect virtualization or sandboxes by calling the API twice and... |
| S0219 | WINERACK | Malware | [WINERACK](https://attack.mitre.org/software/S0219) can enumerate active windows.(Citation: FireEye APT37 Feb 2018) |
| S0409 | Machete | Malware | [Machete](https://attack.mitre.org/software/S0409) saves the window names.(Citation: ESET Machete July 2019) |
| S1090 | NightClub | Malware | [NightClub](https://attack.mitre.org/software/S1090) can use `GetForegroundWindow` to enumerate the active window.(Citation: MoustachedBouncer ESET Au... |
| S0198 | NETWIRE | Malware | [NETWIRE](https://attack.mitre.org/software/S0198) can discover and close windows on controlled systems.(Citation: Red Canary NETWIRE January 2020) |
| S0265 | Kazuar | Malware | [Kazuar](https://attack.mitre.org/software/S0265) gathers information about opened windows.(Citation: Unit 42 Kazuar May 2017) |
| S0375 | Remexi | Malware | [Remexi](https://attack.mitre.org/software/S0375) has a command to capture active windows on the machine and retrieve window titles.(Citation: Securel... |
| S1159 | DUSTTRAP | Malware | [DUSTTRAP](https://attack.mitre.org/software/S1159) can enumerate running application windows.(Citation: Google Cloud APT41 2024) |
References
- ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
- Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
Frequently Asked Questions
What is T1010 (Application Window Discovery)?
T1010 is a MITRE ATT&CK technique named 'Application Window Discovery'. It belongs to the Discovery tactic(s). Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, inform...
How can T1010 be detected?
Detection of T1010 (Application Window Discovery) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1010?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1010?
Known threat groups using T1010 include: Lazarus Group, Volt Typhoon, HEXANE.