Processes using Win32 API calls (e.g., EnumWindows, GetForegroundWindow) or scripting tools (e.g., PowerShell, VBScript) to enumerate open windows. These often appear with reconnaissance or data collection TTPs.
| Data Component | Name | Channel |
|---|---|---|
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Command Execution (DC0064) | WinEventLog:PowerShell | EventCode=4104 |
| Field | Description |
|---|---|
| AccessedFunction | Tune to focus on suspicious function calls (e.g., user32.dll!EnumWindows). |
| UserContext | Detect behavior from non-interactive or low-privileged users where enumeration is uncommon. |
| TimeWindow | Shorten detection scope to rapid successive window enumeration attempts. |
Scripted or binary usage of X11 utilities (e.g., xdotool, wmctrl) or direct /proc/*/window mappings to discover open GUI windows and active desktops.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:EXECVE | execve |
| Command Execution (DC0064) | linus:syslog | None |
| Field | Description |
|---|---|
| ExecutableName | Common window management utilities can be tuned to reduce noise (e.g., xprop, xwininfo). |
| DisplayContext | Restrict detection to processes executing under graphical sessions (e.g., DISPLAY=:0). |
Processes that utilize AppleScript, CGWindowListCopyWindowInfo, or NSRunningApplication APIs to list active application windows and foreground processes.
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | macos:unifiedlog | None |
| Process Creation (DC0032) | macos:osquery | process_events |
| Field | Description |
|---|---|
| AppleScriptTarget | Tunable to ignore benign scripting like automation by known apps. |
| ParentProcess | Useful to suppress expected automation processes. |