From 0779b60397fd121905ec7ee9bb728f696558fb43 Mon Sep 17 00:00:00 2001
From: Tony M Lambert <ForensicITGuy@users.noreply.github.com>
Date: Thu, 13 Dec 2018 10:07:08 -0600
Subject: [PATCH] T1010 App Window Discovery with C# (#429)

---
 atomics/T1010/T1010.yaml   | 27 +++++++++++++++++++++++
 atomics/T1010/src/T1010.cs | 44 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 71 insertions(+)
 create mode 100644 atomics/T1010/T1010.yaml
 create mode 100644 atomics/T1010/src/T1010.cs

diff --git a/atomics/T1010/T1010.yaml b/atomics/T1010/T1010.yaml
new file mode 100644
index 00000000..09c73a6f
--- /dev/null
+++ b/atomics/T1010/T1010.yaml
@@ -0,0 +1,27 @@
+---
+attack_technique: T1010
+display_name: Application Window Discovery
+
+atomic_tests:
+- name: List Process Main Windows - C# .NET
+  description: |
+    Compiles and executes C# code to list main window titles associated with each process.
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    input_source_code:
+      description: Path to source of C# code
+      type: path
+      default: C:\AtomicRedTeam\atomics\T1010\src\T1010.cs
+    output_file_name:
+      description: Name of output binary
+      type: string
+      default: T1010.exe
+
+  executor:
+    name: command_prompt
+    command: |
+      C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} #{input_source_code}
+      #{output_file_name}
diff --git a/atomics/T1010/src/T1010.cs b/atomics/T1010/src/T1010.cs
new file mode 100644
index 00000000..d447ae95
--- /dev/null
+++ b/atomics/T1010/src/T1010.cs
@@ -0,0 +1,44 @@
+using System;
+using System.Collections.Generic;
+using System.Diagnostics;
+
+/*
+Author: Tony Lambert, Twitter: @ForensicITGuy
+License: MIT License
+Step One:
+C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe T1010.cs
+Step Two:
+T1010.exe
+*/
+
+namespace WindowLister
+{
+    class Lister 
+    {
+        static List<string> ListMainWindowTitles()
+        {
+            List<string> windowTitlesList = new List<string>();
+
+            Process[] processlist = Process.GetProcesses();
+
+            foreach (Process process in processlist)
+            {
+                string titleOutputLine;
+
+                if (!String.IsNullOrEmpty(process.MainWindowTitle))
+                {
+                    titleOutputLine = "Process: " + process.ProcessName + " ID: " + process.Id + " Main Window title: " + process.MainWindowTitle;
+                    windowTitlesList.Add(titleOutputLine);
+                }
+            }
+
+            return windowTitlesList;
+        }
+
+        static void Main(string[] args) 
+        {
+            List<string> windowTitlesList = ListMainWindowTitles();
+            windowTitlesList.ForEach(i => Console.Write("{0}\n", i));
+        }
+    }
+}
\ No newline at end of file