Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0097: Detection of Application Window Enumeration via API or Scripting

This detection strategy matters because application window enumeration can reveal what a user is doing, what business applications are open, and whether se...

EnterpriseDET0097Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy matters because application window enumeration can reveal what a user is doing, what business applications are open, and whether security tools are present. Even though the ATT&CK detection-strategy object itself has no official description or detection text, its relationship to Application Window Discovery (T1010) makes it useful for asking whether endpoint monitoring can see discovery behavior that may precede data collection, evasion, or follow-on targeting.

Executive priority

Treat this as a coverage validation item for endpoint visibility and incident readiness rather than a standalone high-confidence alert. Leaders should ask whether SOC and IR teams can prove they collect enough endpoint evidence on Windows, macOS, and Linux to identify suspicious window-enumeration behavior associated with discovery. The business value is in reducing blind spots around early-stage reconnaissance on user workstations and systems handling sensitive applications.

Technical view

DET0097 is a detection strategy for detecting Application Window Discovery (T1010). The supplied object does not include official detection logic, platforms, or tactics, but the related ATT&CK technique is a discovery technique covering Linux, macOS, and Windows. Detection engineering should therefore validate whether endpoint telemetry can show processes or scripts interacting with operating-system features used to list open application windows, and whether that activity can be correlated with unusual parent processes, scripting activity, remote access context, or other discovery behaviors.

Likely telemetry

  • Endpoint process creation and command-line telemetry
  • Script execution telemetry where available
  • API or operating-system event telemetry related to window or UI enumeration where collected
  • Parent-child process relationships for scripting engines, remote access tools, or unusual user-context processes
  • EDR alerts or behavioral events tied to discovery activity

Detection direction

  • Because the official detection field is not provided, start by confirming what endpoint telemetry exists rather than assuming coverage.
  • Tune for suspicious context: uncommon processes performing enumeration, scripting engines involved in discovery-like behavior, or activity occurring alongside other discovery signals.
  • Account for benign administrative, accessibility, automation, testing, and user-support tools that may legitimately inspect windows or user interface state.
  • Correlate with the related technique T1010 and discovery tactic context instead of treating a single window-enumeration signal as conclusive.
  • Validate coverage separately across Windows, macOS, and Linux because the related technique lists all three platforms and telemetry sources may differ significantly.

Mitigation priorities

  • Prioritize endpoint telemetry completeness and retention for systems where user activity or sensitive applications are material to risk.
  • Restrict and monitor unnecessary scripting, automation, and remote administration capabilities according to role and business need.
  • Use least privilege and application control where appropriate to reduce misuse of tools that can perform discovery functions.
  • Document detection assumptions and evidence sources for compliance and incident-response readiness, especially where ATT&CK coverage is mapped to control objectives.
  • Review exceptions for legitimate automation or support tooling so SOC teams can distinguish expected behavior from suspicious discovery.
Analyst notes and limits

The ATT&CK object is a detection strategy with sparse official fields: no official description, detection text, platforms, or tactics are supplied. The practical interpretation comes from its relationship stating that it detects T1010, Application Window Discovery, a discovery technique on Linux, macOS, and Windows. Local environment baselining is essential because UI or window inspection can be legitimate in accessibility, automation, administrative, and support workflows.

This take is limited to the supplied STIX fields, the MITRE external reference, and the relationship to T1010. It does not assert active exploitation, actor attribution, guaranteed detection coverage, or specific tool behavior. Concrete detection logic must be developed and validated using local endpoint telemetry and operating-system-specific evidence.

Official MITRE ATT&CK definition

Detection of Application Window Enumeration via API or Scripting

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1010 Application Window Discovery This object detects Application Window Discovery.
Relationship explorer

All related ATT&CK context

detects · Technique T1010: Application Window Discovery Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
06edc0b51093d255...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 06edc0b51093…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0097
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use