Comment on page

Application Window Discovery

Discovery

Retrieving running application window titles:
attacker@victim
get-process | where-object {$_.mainwindowtitle -ne ""} | Select-Object mainwindowtitle
A COM method that also includes the process path and window location coordinates:
attacker@victim
[activator]::CreateInstance([type]::GetTypeFromCLSID("13709620-C279-11CE-A49E-444553540000")).windows()
References
https://attack.mitre.org/wiki/Technique/T1010
attack.mitre.org
​

Dump GAL from OWA

Account Discovery & Enumeration

Last modified 4yr ago