T1010

Description from ATT&CK

Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling (Security Software Discovery) to evade.(Citation: ESET Grandoreiro April 2020)

Adversaries typically abuse system features for this type of enumeration. For example, they may gather information through native system features such as Command and Scripting Interpreter commands and Native API functions.

Source

Atomic Tests

• Atomic Test #1: List Process Main Windows - C# .NET

Atomic Test #1: List Process Main Windows - C# .NET

Compiles and executes C# code to list main window titles associated with each process.

Upon successful execution, powershell will download the .cs from the Atomic Red Team repo, and cmd.exe will compile and execute T1010.exe. Upon T1010.exe execution, expected output will be via stdout.

Supported Platforms: Windows

auto_generated_guid: fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4

Inputs

Attack Commands: Run with command_prompt!

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} "#{input_source_code}"
#{output_file_name}

Cleanup Commands

del /f /q /s #{output_file_name} >nul 2>&1

Dependencies: Run with powershell!

Description: T1010.cs must exist on disk at specified location (#{input_source_code})

Check Prereq Commands

if (Test-Path "#{input_source_code}") {exit 0} else {exit 1}

Get Prereq Commands

New-Item -Type Directory (split-path "#{input_source_code}") -ErrorAction ignore | Out-Null
Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1010/src/T1010.cs -OutFile "#{input_source_code}"

Atomic test(s) for this technique last updated: 2023-09-22 16:47:25 UTC