MITRE ATT&CK Technique
Description
Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) to evade.(Citation: ESET Grandoreiro April 2020) Adversaries typically abuse system features for this type of enumeration. For example, they may gather information through native system features such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) commands and [Native API](https://attack.mitre.org/techniques/T1106) functions.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-05-31T21:30:24.512Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may attempt to get a listing of open application '
'windows. Window listings could convey information about how '
'the system is used.(Citation: Prevailion DarkWatchman 2021) '
'For example, information about application windows could be '
'used identify potential data to collect as well as '
'identifying security tooling ([Security Software '
'Discovery](https://attack.mitre.org/techniques/T1518/001)) to '
'evade.(Citation: ESET Grandoreiro April 2020)\n'
'\n'
'Adversaries typically abuse system features for this type of '
'enumeration. For example, they may gather information through '
'native system features such as [Command and Scripting '
'Interpreter](https://attack.mitre.org/techniques/T1059) '
'commands and [Native '
'API](https://attack.mitre.org/techniques/T1106) functions.',
'external_references': [{'external_id': 'T1010',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1010'},
{'description': 'ESET. (2020, April 28). Grandoreiro: '
'How engorged can an EXE get?. '
'Retrieved November 13, 2020.',
'source_name': 'ESET Grandoreiro April 2020',
'url': 'https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/'},
{'description': 'Smith, S., Stafford, M. (2021, '
'December 14). DarkWatchman: A new '
'evolution in fileless techniques. '
'Retrieved January 10, 2022.',
'source_name': 'Prevailion DarkWatchman 2021',
'url': 'https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/'}],
'id': 'attack-pattern--4ae4f953-fe58-4cc8-a327-33257e30a830',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'discovery'}],
'modified': '2025-10-24T17:48:44.488Z',
'name': 'Application Window Discovery',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'Windows', 'macOS'],
'x_mitre_version': '1.3'}