T1055.011 IBM QRadar · QRadar

Detect Extra Window Memory Injection in IBM QRadar

Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process. Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior via windows procedures. Registration of new windows classes can include a request for up to 40 bytes of EWM. Although small, the EWM is large enough to store a 32-bit pointer and is often used to point to a windows procedure. Malware may utilize this memory location in part of an attack chain that includes writing code to shared sections of the process's memory, placing a pointer to the code in EWM, then invoking execution by returning execution control to the address in the process's EWM.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1055 Process Injection
Sub-technique
T1055.011 Extra Window Memory Injection
Canonical reference
https://attack.mitre.org/techniques/T1055/011/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime, LOGSOURCENAME(logsourceid) AS LogSource, sourceip AS SourceIP, username AS User, QIDNAME(qid) AS EventName, "SourceImage", "TargetImage", "GrantedAccess", CASE WHEN "GrantedAccess" = '0x1FFFFF' THEN 'Critical - PROCESS_ALL_ACCESS to explorer.exe' WHEN "GrantedAccess" = '0x001F0FFF' THEN 'High - Full process rights to explorer.exe' WHEN "GrantedAccess" = '0x0020' THEN 'Medium - PROCESS_VM_WRITE to explorer.exe' ELSE 'Medium - Suspicious access rights to explorer.exe' END AS EWMIndicator FROM events WHERE LOGSOURCETYPENAME(devicetype) = 'Microsoft Windows Security Event Log' AND QIDNAME(qid) LIKE '%Process Access%' AND "TargetImage" ILIKE '%\explorer.exe' AND "GrantedAccess" IN ('0x1FFFFF', '0x001F0FFF', '0x1F3FFF', '0x0020', '0x1F1FFF') AND NOT ("SourceImage" ILIKE '%\explorer.exe' OR "SourceImage" ILIKE '%\csrss.exe' OR "SourceImage" ILIKE '%\dwm.exe' OR "SourceImage" ILIKE '%\winlogon.exe' OR "SourceImage" ILIKE '%\ShellExperienceHost.exe' OR "SourceImage" ILIKE '%\SearchUI.exe' OR "SourceImage" ILIKE '%\taskhostw.exe' OR "SourceImage" ILIKE '%\sihost.exe') LAST 24 HOURS ORDER BY devicetime DESC
high severity high confidence

QRadar AQL query correlating Sysmon process access events (EventID 10) forwarded via Windows Event Forwarding, detecting non-system processes opening explorer.exe with access masks associated with EWM injection including PROCESS_ALL_ACCESS and PROCESS_VM_WRITE flags.

Data Sources

Microsoft Windows Security Event Log (Sysmon events forwarded via WEF to QRadar)

Required Tables

events

False Positives & Tuning

  • Security product agents (endpoint protection platforms, DLP solutions) that require high-privilege handles to explorer.exe for runtime behavior interception and policy enforcement
  • Remote monitoring and management agents (Kaseya VSA, ConnectWise Automate, Datto RMM) that interact with the Windows shell process during remote session establishment or software deployment
  • Windows diagnostic and crash dump utilities (WerFault.exe, ProcDump, Windows Error Reporting) that access explorer.exe memory during crash capture or performance analysis
Download portable Sigma rule (.yml)

Other platforms for T1055.011

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enumerate Shell_TrayWnd Window Handle

    Expected signal: Sysmon Event ID 1: PowerShell execution with FindWindowW in command line. API call to FindWindowW with class name Shell_TrayWnd logged by ETW if user32.dll API tracing is enabled.

  2. Test 2GetWindowLong Extra Memory Read

    Expected signal: Sysmon Event ID 1: PowerShell execution with GetWindowLongPtrW. ETW: user32.dll API calls for FindWindowW and GetWindowLongPtrW.

  3. Test 3Cross-Process Memory Write to Explorer

    Expected signal: Sysmon Event ID 1: PowerShell execution. If actual OpenProcess with write rights is called: Sysmon Event ID 10 (ProcessAccess) from PowerShell to explorer.exe with PROCESS_VM_WRITE.

Last updated: 2026-04-17 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1055.011 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1055Process Injection

Related Sub-techniques

T1055.001Dynamic-link Library InjectionT1055.002Portable Executable InjectionT1055.003Thread Execution HijackingT1055.004Asynchronous Procedure CallT1055.005Thread Local StorageT1055.008Ptrace System CallsT1055.009Proc MemoryT1055.012Process HollowingT1055.013Process DoppelgangingT1055.014VDSO HijackingT1055.015ListPlanting

Related Techniques

T1055Process InjectionT1055.001Dynamic-link Library InjectionT1055.015ListPlantingT1055.012Process HollowingT1218.011Rundll32

Same Tactic: Defense Evasion

Popular Detections