🍎

T1010

Application Window Discovery

Description from ATT&CK

Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling (Security Software Discovery) to evade.(Citation: ESET Grandoreiro April 2020)

Adversaries typically abuse system features for this type of enumeration. For example, they may gather information through native system features such as Command and Scripting Interpreter commands and Native API functions.

Tests

Test #1 - Find all running applications which currently have a window

This test uses System Events to find all running applications that currently have a window.

⚠️ TCC Required 
tell application "System Events" to get name of every process whose background only is false

Download Files

Download .scpt Download .swift Download Binary Download Application Bundle

References

T1005

Data from Local System

T1016.001

System Network Configuration Discovery Internet Connection Discovery

On this page

Description from ATT&CK
Tests
Test #1 - Find all running applications which currently have a window
References