Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0608: Analytic 0608

Detects adversary manipulation of Extra Window Memory (EWM) in a GUI process, where the attacker uses SetWindowLong or SetClassLong to redirect function pointers to injected shellcode stored in shared memory, then triggers execution via a window message like SendNotifyMessage.

EnterpriseAN0608AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN0608 is a Windows detection analytic focused on abuse of Extra Window Memory in GUI processes. The practical significance is that this behavior can turn normal-looking desktop application activity into a code-execution path, so defenders should not rely only on process names or parent-child process patterns. For leaders, this is a reminder that endpoint visibility into GUI process behavior and memory-related activity can be important for detecting stealthier execution techniques.

Executive priority

Prioritize this as an endpoint detection and incident response readiness question for Windows environments: can the SOC see suspicious manipulation of GUI window/class data and related message-triggered execution, or would this be invisible behind trusted applications? Because the supplied ATT&CK object provides no mitigation text, tactic mapping, or relationship context, this should be treated as a coverage-validation item rather than a stand-alone risk ranking.

Technical view

Validate whether Windows endpoint telemetry and detection logic can identify suspicious use of GUI-related APIs such as SetWindowLong or SetClassLong when they are used to redirect function pointers toward injected code in shared memory, followed by execution triggered through window messaging such as SendNotifyMessage. SOC teams should test whether current EDR, memory, API, and behavioral telemetry can correlate these events inside GUI processes instead of only alerting on process creation or command-line activity. IR teams should be prepared to examine affected GUI processes, memory regions, window/class state changes, and message activity when this analytic fires or when related suspicious execution is suspected.

Likely telemetry

  • Windows endpoint detection and response telemetry from GUI processes
  • API call or behavioral telemetry involving SetWindowLong and SetClassLong
  • Window message telemetry or behavioral traces involving SendNotifyMessage-like activity
  • Process memory telemetry showing injected code or shared memory use
  • Process, module, and thread context for the affected GUI process

Detection direction

  • Confirm whether tooling can observe the specific behavioral chain described: GUI process manipulation, Extra Window Memory or class/window data changes, pointer redirection, shared-memory code presence, and message-triggered execution.
  • Tune detections around sequences and context rather than single API names, since legitimate GUI software may use window/class APIs.
  • Review false positives from accessibility tools, UI automation, desktop management software, and legitimate applications that modify window or class data.
  • Look for blind spots where EDR does not expose GUI API activity, memory-region details, or window message context.
  • Because no ATT&CK relationships or tactic mappings were supplied, avoid over-scoping this analytic to a specific campaign, technique chain, or intrusion phase without local evidence.

Mitigation priorities

  • Ensure Windows endpoints running GUI workloads are covered by EDR or equivalent telemetry capable of memory and behavioral inspection.
  • Harden and monitor high-value workstations and servers with interactive desktop exposure, especially where trusted GUI processes handle sensitive workflows.
  • Use application control, least privilege, and endpoint hardening to reduce opportunities for untrusted code to execute inside user processes.
  • Prepare incident response procedures for collecting process memory, module lists, thread context, and endpoint telemetry when GUI process manipulation is suspected.
  • Document telemetry availability and analytic limitations as compliance or audit evidence for endpoint monitoring coverage.
Analyst notes and limits

This object is a detection analytic, not a technique or procedure example. The official description is specific to Windows GUI process manipulation using Extra Window Memory and related API/message behavior, but no official detection logic, tactic mapping, mitigations, or relationships were supplied. Treat this as guidance for coverage validation and detection engineering, not proof of current exposure or active adversary use.

The supplied ATT&CK fields do not include official detection content, mapped techniques, tactics, groups, software, campaigns, mitigations, data sources, or procedure examples. Local endpoint telemetry, EDR capabilities, and application behavior are required to determine whether this analytic is implementable and useful in a given environment.

Official MITRE ATT&CK definition

Analytic 0608

Detects adversary manipulation of Extra Window Memory (EWM) in a GUI process, where the attacker uses SetWindowLong or SetClassLong to redirect function pointers to injected shellcode stored in shared memory, then triggers execution via a window message like SendNotifyMessage.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
ed297bde17225c17...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle ed297bde1722…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0608
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use