Skip to content

DET0217 Detection Strategy for Extra Window Memory (EWM) Injection on Windows

Item Value
ID DET0217
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1055.011 (Extra Window Memory Injection)

Analytics

Windows

AN0608

Detects adversary manipulation of Extra Window Memory (EWM) in a GUI process, where the attacker uses SetWindowLong or SetClassLong to redirect function pointers to injected shellcode stored in shared memory, then triggers execution via a window message like SendNotifyMessage.

Log Sources
Data Component Name Channel
Process Access (DC0035) WinEventLog:Sysmon EventCode=10
OS API Execution (DC0021) etw:Microsoft-Windows-Win32k SetWindowLong, SetClassLong, NtUserMessageCall, SendNotifyMessage, PostMessage
Process Creation (DC0032) WinEventLog:Security EventCode=4688
Mutable Elements
Field Description
TargetWindowClassRegex Regex to scope suspicious or uncommon GUI class names registered by user-created processes
ExecutionTriggerWindowMessage API calls like SendNotifyMessage or PostMessage that deliver execution to the shellcode location
SharedSectionWriteThreshold Set byte count thresholds on suspicious memory writes to known shared sections
TimeWindowSetWindowLongToMessageTrigger Define max time (e.g., <10s) between API call to set window memory and the message call to trigger it