Esc
Application Window Discovery - T1010
(ATT&CK® Technique)
Definition
Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used. For example, information about application windows could be used identify potential data to collect as well as identifying security tooling (Security Software Discovery) to evade.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1010["Application Window Discovery"] --> |may-invoke| CreateProcess["Create Process"]; class T1010 OffensiveTechniqueNode;
class CreateProcess ArtifactNode; click CreateProcess href "/dao/artifact/d3f:CreateProcess";
click T1010 href "/offensive-technique/attack/T1010/"; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; T1010["Application Window Discovery"] --> |may-invoke| GetOpenWindows["Get Open Windows"]; class T1010 OffensiveTechniqueNode;
class GetOpenWindows ArtifactNode; click GetOpenWindows href "/dao/artifact/d3f:GetOpenWindows";
click T1010 href "/offensive-technique/attack/T1010/"; click GetOpenWindows href "/dao/artifact/d3f:GetOpenWindows"; SystemCallFiltering["System Call Filtering"] -->
| filters | GetOpenWindows["Get Open Windows"];
SystemCallFiltering["System Call Filtering"] -.->
| may-isolate | T1010["Application Window Discovery"] ;
class SystemCallFiltering DefensiveTechniqueNode;
class GetOpenWindows ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; SystemCallFiltering["System Call Filtering"] -->
| filters | CreateProcess["Create Process"];
class SystemCallFiltering DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; SystemCallAnalysis["System Call Analysis"] -->
| analyzes | CreateProcess["Create Process"];
SystemCallAnalysis["System Call Analysis"] -.->
| may-detect | T1010["Application Window Discovery"] ;
class SystemCallAnalysis DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; SystemCallAnalysis["System Call Analysis"] -->
| analyzes | GetOpenWindows["Get Open Windows"];
class SystemCallAnalysis DefensiveTechniqueNode;
class GetOpenWindows ArtifactNode;
click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | CreateProcess["Create Process"];
ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
| may-detect | T1010["Application Window Discovery"] ;
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; ExecutableDenylisting["Executable Denylisting"] -->
| filters | CreateProcess["Create Process"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1010["Application Window Discovery"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| restricts | CreateProcess["Create Process"];
Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
| may-isolate | T1010["Application Window Discovery"] ;
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; ExecutableAllowlisting["Executable Allowlisting"] -->
| filters | CreateProcess["Create Process"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1010["Application Window Discovery"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting";