From 6e94e798be6b34319e7a9142cb303648d73e4bc5 Mon Sep 17 00:00:00 2001
From: zinint <zinin.t@gmail.com>
Date: Fri, 25 Oct 2019 16:12:51 +0300
Subject: [PATCH] t1010

---
 .../win_app_windows_descovery.yml             | 31 +++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 rules/windows/process_creation/win_app_windows_descovery.yml

diff --git a/rules/windows/process_creation/win_app_windows_descovery.yml b/rules/windows/process_creation/win_app_windows_descovery.yml
new file mode 100644
index 000000000..6ef25ce14
--- /dev/null
+++ b/rules/windows/process_creation/win_app_windows_descovery.yml
@@ -0,0 +1,31 @@
+title: Application Window Discovery
+status: experimental
+description: Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger. In Mac, this can be done natively with a small AppleScript script - https://attack.mitre.org/techniques/T1155/
+author: Timur Zinniatullin, oscd.community
+references:
+    - https://attack.mitre.org/techniques/T1010/
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.yaml
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        Image:
+            - '*\csc.exe'
+        CommandLine:
+            - '*-out:*.cs*'
+    condition: selection1
+fields:
+    - Image
+    - CommandLine
+    - User
+    - LogonGuid
+    - Hashes
+    - ParentProcessGuid
+    - ParentCommandLine
+falsepositives:
+    - Unknown
+level: low
+tags:
+    - attack.exfiltration
+    - attack.t1010