Detects the use of message-based injection by monitoring for sequences involving FindWindow (EnumWindows or EnumChildWindows), VirtualAllocEx or related API calls, combined with suspicious PostMessage/SendMessage (e.g., LVM_SETITEMPOSITION) use to SysListView32 controls, followed by LVM_SORTITEMS invocation instead of WriteProcessMemory.
| Data Component | Name | Channel |
|---|---|---|
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Process Modification (DC0020) | WinEventLog:Sysmon | EventCode=8 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| OS API Execution (DC0021) | etw:Microsoft-Windows-Win32k | SendMessage, PostMessage, LVM_* |
| Field | Description |
|---|---|
| TimeWindow_PostMessage_to_LVM_SORTITEMS | Defines temporal distance between payload copy and execution trigger |
| TargetWindowClassName | Restrict detection to SysListView32 or similar GUI elements |
| UserContextAnomalyThreshold | Adjusts detection sensitivity to users sending window messages across session boundaries |
| InterprocessWindowMessagingFrequency | Raise alert when rate of message-passing to foreign GUI processes exceeds baseline |