Detect Extra Window Memory Injection in Elastic Security
Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process. Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior via windows procedures. Registration of new windows classes can include a request for up to 40 bytes of EWM. Although small, the EWM is large enough to store a 32-bit pointer and is often used to point to a windows procedure. Malware may utilize this memory location in part of an attack chain that includes writing code to shared sections of the process's memory, placing a pointer to the code in EWM, then invoking execution by returning execution control to the address in the process's EWM.
MITRE ATT&CK
- Technique
- T1055 Process Injection
- Sub-technique
- T1055.011 Extra Window Memory Injection
- Canonical reference
- https://attack.mitre.org/techniques/T1055/011/
Elastic Detection Query
any where event.provider == "Microsoft-Windows-Sysmon" and winlog.event_id == 10 and winlog.event_data.TargetImage like~ "*\\explorer.exe" and winlog.event_data.GrantedAccess in~ ("0x1FFFFF", "0x001F0FFF", "0x1F3FFF", "0x0020", "0x1F1FFF") and not winlog.event_data.SourceImage like~ ("*\\explorer.exe", "*\\csrss.exe", "*\\dwm.exe", "*\\winlogon.exe", "*\\ShellExperienceHost.exe", "*\\SearchUI.exe", "*\\taskhostw.exe", "*\\sihost.exe")Detects EWM injection attempts by monitoring Sysmon EventID 10 (ProcessAccess) events targeting explorer.exe with access rights commonly used for process memory manipulation. EWM injection abuses the Extra Window Memory pointer stored in Shell_TrayWnd to redirect execution to attacker-controlled shellcode.
Data Sources
Required Tables
False Positives & Tuning
- EDR and AV agents (CrowdStrike, SentinelOne, Carbon Black) that legitimately open explorer.exe with elevated access rights for behavioral monitoring and hook installation
- System administration tools such as Process Monitor, Process Hacker, or Sysinternals ProcDump used by IT staff to capture explorer.exe memory dumps during troubleshooting
- Legitimate software installers or shell extension handlers that briefly access explorer.exe with write permissions during COM registration or shell integration setup
Other platforms for T1055.011
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enumerate Shell_TrayWnd Window Handle
Expected signal: Sysmon Event ID 1: PowerShell execution with FindWindowW in command line. API call to FindWindowW with class name Shell_TrayWnd logged by ETW if user32.dll API tracing is enabled.
- Test 2GetWindowLong Extra Memory Read
Expected signal: Sysmon Event ID 1: PowerShell execution with GetWindowLongPtrW. ETW: user32.dll API calls for FindWindowW and GetWindowLongPtrW.
- Test 3Cross-Process Memory Write to Explorer
Expected signal: Sysmon Event ID 1: PowerShell execution. If actual OpenProcess with write rights is called: Sysmon Event ID 10 (ProcessAccess) from PowerShell to explorer.exe with PROCESS_VM_WRITE.
References (5)
- https://attack.mitre.org/techniques/T1055/011/
- https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html
- https://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/
- https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
- https://msdn.microsoft.com/library/windows/desktop/ms633591.aspx
Unlock Pro Content
Get the full detection package for T1055.011 including response playbook, investigation guide, and atomic red team tests.