Skip to content

Latest commit

 

History

History
54 lines (36 loc) · 1.77 KB

T1010.md

File metadata and controls

54 lines (36 loc) · 1.77 KB
Raw

T1010 - Application Window Discovery

Description from ATT&CK

Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.

In Mac, this can be done natively with a small AppleScript script.

Atomic Tests


Atomic Test #1 - List Process Main Windows - C# .NET

Compiles and executes C# code to list main window titles associated with each process.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
input_url URL to source code in Atomic-Red-Team git repository Url https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1010/src/T1010.cs
input_source_code Path to source of C# code path PathToAtomicsFolder\T1010\src\T1010.cs
output_file_name Name of output binary string $env:TEMP\T1010.exe

Attack Commands: Run with command_prompt!

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} #{input_source_code}
#{output_file_name}

Cleanup Commands:

del /f /q /s #{output_file_name} >nul 2>&1

Dependencies: Run with powershell!

Description: T1010.cs must exist on disk at specified location (#{input_source_code})
Check Prereq Commands:
if (Test-Path #{input_source_code}) {exit 0} else {exit 1}
Get Prereq Commands:
Invoke-WebRequest "#{input_URL}" -OutFile "#{input_source_code}"