Detect Extra Window Memory Injection in CrowdStrike LogScale
Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process. Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior via windows procedures. Registration of new windows classes can include a request for up to 40 bytes of EWM. Although small, the EWM is large enough to store a 32-bit pointer and is often used to point to a windows procedure. Malware may utilize this memory location in part of an attack chain that includes writing code to shared sections of the process's memory, placing a pointer to the code in EWM, then invoking execution by returning execution control to the address in the process's EWM.
MITRE ATT&CK
- Technique
- T1055 Process Injection
- Sub-technique
- T1055.011 Extra Window Memory Injection
- Canonical reference
- https://attack.mitre.org/techniques/T1055/011/
LogScale Detection Query
#event_simpleName = "TargetProcessAccess"
| TargetImageFileName = /\\explorer\.exe$/i
| DesiredAccess in ["0x1FFFFF", "0x001F0FFF", "0x1F3FFF", "0x0020", "0x1F1FFF"]
| SourceImageFileName != /\\(explorer|csrss|dwm|winlogon|ShellExperienceHost|SearchUI|taskhostw|sihost)\.exe$/i
| InjectorName := replace(SourceImageFileName, /.*\\(.+)$/, "$1")
| EWMSeverity := match(DesiredAccess, [
"0x1FFFFF" -> "Critical - PROCESS_ALL_ACCESS",
"0x001F0FFF" -> "High - Full process rights",
"0x0020" -> "Medium - PROCESS_VM_WRITE",
* -> "Medium - Suspicious access rights"
])
| table([@timestamp, ComputerName, UserName, SourceImageFileName, InjectorName, TargetImageFileName, DesiredAccess, EWMSeverity], sortby="@timestamp", order="desc")CrowdStrike LogScale query using Falcon EDR TargetProcessAccess telemetry to detect EWM injection precursors, identifying non-system processes opening explorer.exe with access rights sufficient for memory manipulation, pointer redirection to EWM, or CreateRemoteThread execution.
Data Sources
Required Tables
False Positives & Tuning
- CrowdStrike Falcon sensor process itself may generate TargetProcessAccess events when performing its own process telemetry collection and injection into explorer.exe for monitoring
- Virtual desktop infrastructure agents (Citrix, VMware Horizon) that access explorer.exe with elevated rights during user profile setup or published application session initialization
- Windows Performance Analyzer, ETW trace sessions, or kernel debugging tools (WinDbg, KD) targeting explorer.exe during developer troubleshooting or performance profiling
Other platforms for T1055.011
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enumerate Shell_TrayWnd Window Handle
Expected signal: Sysmon Event ID 1: PowerShell execution with FindWindowW in command line. API call to FindWindowW with class name Shell_TrayWnd logged by ETW if user32.dll API tracing is enabled.
- Test 2GetWindowLong Extra Memory Read
Expected signal: Sysmon Event ID 1: PowerShell execution with GetWindowLongPtrW. ETW: user32.dll API calls for FindWindowW and GetWindowLongPtrW.
- Test 3Cross-Process Memory Write to Explorer
Expected signal: Sysmon Event ID 1: PowerShell execution. If actual OpenProcess with write rights is called: Sysmon Event ID 10 (ProcessAccess) from PowerShell to explorer.exe with PROCESS_VM_WRITE.
References (5)
- https://attack.mitre.org/techniques/T1055/011/
- https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html
- https://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/
- https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
- https://msdn.microsoft.com/library/windows/desktop/ms633591.aspx
Unlock Pro Content
Get the full detection package for T1055.011 including response playbook, investigation guide, and atomic red team tests.