Detects adversary manipulation of Extra Window Memory (EWM) in a GUI process, where the attacker uses SetWindowLong or SetClassLong to redirect function pointers to injected shellcode stored in shared memory, then triggers execution via a window message like SendNotifyMessage.
| Data Component | Name | Channel |
|---|---|---|
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| OS API Execution (DC0021) | etw:Microsoft-Windows-Win32k | SetWindowLong, SetClassLong, NtUserMessageCall, SendNotifyMessage, PostMessage |
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Field | Description |
|---|---|
| TargetWindowClassRegex | Regex to scope suspicious or uncommon GUI class names registered by user-created processes |
| ExecutionTriggerWindowMessage | API calls like SendNotifyMessage or PostMessage that deliver execution to the shellcode location |
| SharedSectionWriteThreshold | Set byte count thresholds on suspicious memory writes to known shared sections |
| TimeWindowSetWindowLongToMessageTrigger | Define max time (e.g., <10s) between API call to set window memory and the message call to trigger it |