T1055.011

Extra Window Memory Injection

Defense Evasion Privilege Escalation

Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process. Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior via windows procedures. Registration of new windows classes can include a request for up to 40 bytes of EWM. Although small, the EWM is large enough to store a 32-bit pointer and is often used to point to a windows procedure. Malware may utilize this memory location in part of an attack chain that includes writing code to shared sections of the process's memory, placing a pointer to the code in EWM, then invoking execution by returning execution control to the address in the process's EWM.

Microsoft Sentinel / Defender
kusto 
// Detect EWM injection via suspicious API calls targeting Shell_TrayWnd
// EWM injection targets Explorer's Shell_TrayWnd window class
DeviceEvents
| where Timestamp > ago(24h)
| where ActionType in ("SetWindowLongApiCall", "SendMessageApiCall", "CreateRemoteThreadApiCall")
| where FileName =~ "explorer.exe"
| where InitiatingProcessFileName !in~ ("explorer.exe", "csrss.exe", "dwm.exe", "winlogon.exe", "ShellExperienceHost.exe", "SearchUI.exe")
| project Timestamp, DeviceName, AccountName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName
| sort by Timestamp desc
// Fallback: detect via ProcessAccess to explorer.exe with write rights
| union (
    DeviceEvents
    | where Timestamp > ago(24h)
    | where ActionType == "ProcessAccessedApiCall"
    | where FileName =~ "explorer.exe"
    | where InitiatingProcessFileName !in~ ("explorer.exe", "csrss.exe", "dwm.exe", "winlogon.exe", "taskhost.exe", "taskhostw.exe", "ShellExperienceHost.exe")
)
| sort by Timestamp desc
critical severity high confidence

Data Sources

Process: OS API Execution Process: Process Access Microsoft Defender for Endpoint

Required Tables

DeviceEvents

False Positives

  • Shell extensions and explorer plugins that legitimately modify Shell_TrayWnd properties
  • Taskbar customization tools (StartAllBack, Start11) modifying Shell_TrayWnd EWM
  • Accessibility tools that modify window properties for screen reading
  • System tray management applications interacting with Shell_TrayWnd
Last updated: 2026-04-17 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1055.011 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1055Process Injection

Related Sub-techniques

T1055.001Dynamic-link Library InjectionT1055.002Portable Executable InjectionT1055.003Thread Execution HijackingT1055.004Asynchronous Procedure CallT1055.005Thread Local StorageT1055.008Ptrace System CallsT1055.009Proc MemoryT1055.012Process HollowingT1055.013Process DoppelgangingT1055.014VDSO HijackingT1055.015ListPlanting

Same Tactic: Defense Evasion

Popular Detections