T1055.015 ListPlanting Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Detect ListPlanting via suspicious cross-process window message sending
// Key indicators: processes sending LVM_ messages to SysListView32 controls in other processes
DeviceEvents
| where Timestamp > ago(24h)
| where ActionType in ("SendMessageApiCall", "PostMessageApiCall", "CreateRemoteThreadApiCall")
| where FileName =~ "explorer.exe" or ProcessCommandLine has "SysListView32"
| where InitiatingProcessFileName !in~ ("explorer.exe", "csrss.exe", "dwm.exe", "winlogon.exe", "ShellExperienceHost.exe", "SearchUI.exe", "taskhostw.exe")
| project Timestamp, DeviceName, AccountName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName
| sort by Timestamp desc
| union (
    // Also detect FindWindow targeting SysListView32
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where ProcessCommandLine has_any ("SysListView32", "LVM_SORTITEMS", "ListView_SortItems", "FindWindow", "EnumWindows")
    | where ProcessCommandLine has_any ("inject", "payload", "shellcode", "VirtualAllocEx", "WriteProcessMemory")
    | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
)
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: OS API Execution Process: Process Access Microsoft Defender for Endpoint

Required Tables

DeviceEvents DeviceProcessEvents

False Positives

Legitimate applications using SendMessage to interact with list-view controls for UI automation
Accessibility tools sending window messages to SysListView32 for screen reading
Test automation frameworks (AutoIt, AutoHotkey) interacting with list-view controls
Windows shell extensions communicating with explorer's list-view for file management

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=10
  TargetImage="*\\explorer.exe"
| where GrantedAccess IN ("0x1FFFFF", "0x001F0FFF", "0x1F3FFF", "0x0020", "0x1F1FFF", "0x143A")
| rename SourceImage as ListPlanter, TargetImage as Target
| search NOT ListPlanter IN ("*\\explorer.exe", "*\\csrss.exe", "*\\dwm.exe", "*\\winlogon.exe", "*\\ShellExperienceHost.exe", "*\\SearchUI.exe", "*\\sihost.exe", "*\\taskhostw.exe", "*\\RuntimeBroker.exe")
| eval ListPlantIndicator=case(
    GrantedAccess="0x1FFFFF", "Critical - PROCESS_ALL_ACCESS to explorer (ListPlanting requires VM_WRITE + VM_OPERATION)",
    match(GrantedAccess, "0x0020"), "High - PROCESS_VM_WRITE to explorer (needed for VirtualAllocEx or message-based copy)",
    1=1, "Medium - Suspicious cross-process access to explorer"
)
| table _time, host, User, ListPlanter, Target, GrantedAccess, ListPlantIndicator
| sort - _time

high severity medium confidence

Data Sources

Process: Process Access Sysmon Event ID 10

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Shell extensions accessing explorer.exe for integration
Accessibility tools accessing explorer for screen reading
UI automation frameworks interacting with explorer
File management tools communicating with explorer's file list view

Elastic Security (EQL)

eql

sequence by host.id, winlog.event_data.SourceProcessId [maxspan=2m]
  [any where event.provider == "Microsoft-Windows-Sysmon" and event.code == "10" and
   winlog.event_data.TargetImage like~ "*\\explorer.exe" and
   winlog.event_data.GrantedAccess in ("0x1FFFFF", "0x001F0FFF", "0x1F3FFF", "0x0020", "0x1F1FFF", "0x143A") and
   not winlog.event_data.SourceImage like~ ("*\\explorer.exe", "*\\csrss.exe", "*\\dwm.exe", "*\\winlogon.exe", "*\\ShellExperienceHost.exe", "*\\SearchUI.exe", "*\\sihost.exe", "*\\taskhostw.exe", "*\\RuntimeBroker.exe", "*\\svchost.exe")]
  [any where event.provider == "Microsoft-Windows-Sysmon" and event.code == "8" and
   winlog.event_data.TargetImage like~ "*\\explorer.exe" and
   not winlog.event_data.SourceImage like~ ("*\\explorer.exe", "*\\csrss.exe", "*\\dwm.exe", "*\\winlogon.exe")]

high severity high confidence

Data Sources

Microsoft-Windows-Sysmon

Required Tables

logs-windows.sysmon_operational-* winlogbeat-*

False Positives

EDR/AV agents that open full-access handles to explorer.exe for behavioral monitoring and may also inject protective DLLs, generating both Event ID 10 and Event ID 8 in sequence
Accessibility software and assistive technology tools (screen readers, on-screen keyboards) that legitimately inject helper threads into the Windows shell process
Application virtualization or compatibility shim frameworks that hook into explorer.exe during shell integration, requiring VM_WRITE access followed by a remote thread for initialization

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  "SourceImage" AS ListPlanter,
  "TargetImage" AS Target,
  "GrantedAccess",
  username,
  sourceip AS HostIP,
  QIDNAME(qid) AS EventName,
  CASE
    WHEN "GrantedAccess" = '0x1FFFFF' THEN 'Critical - PROCESS_ALL_ACCESS to explorer (ListPlanting requires VM_WRITE + VM_OPERATION)'
    WHEN "GrantedAccess" = '0x0020'   THEN 'High - PROCESS_VM_WRITE to explorer (needed for VirtualAllocEx or message-based copy)'
    ELSE 'Medium - Suspicious cross-process handle to explorer'
  END AS ListPlantIndicator
FROM events
WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%'
  AND "EventID" = '10'
  AND "TargetImage" ILIKE '%\\explorer.exe'
  AND "GrantedAccess" IN ('0x1FFFFF', '0x001F0FFF', '0x1F3FFF', '0x0020', '0x1F1FFF', '0x143A')
  AND "SourceImage" NOT ILIKE '%\\explorer.exe'
  AND "SourceImage" NOT ILIKE '%\\csrss.exe'
  AND "SourceImage" NOT ILIKE '%\\dwm.exe'
  AND "SourceImage" NOT ILIKE '%\\winlogon.exe'
  AND "SourceImage" NOT ILIKE '%\\ShellExperienceHost.exe'
  AND "SourceImage" NOT ILIKE '%\\SearchUI.exe'
  AND "SourceImage" NOT ILIKE '%\\sihost.exe'
  AND "SourceImage" NOT ILIKE '%\\taskhostw.exe'
  AND "SourceImage" NOT ILIKE '%\\RuntimeBroker.exe'
LAST 24 HOURS
ORDER BY starttime DESC

high severity high confidence

Data Sources

Microsoft Windows Sysmon Windows Event Log

Required Tables

events

False Positives

Enterprise endpoint management agents (Tanium, BigFix, SCCM) that perform process inspection against explorer.exe and may open broad handles during software deployment or patching workflows
Windows Defender or third-party AV products that open handles to explorer.exe with high access rights during real-time protection scanning or DLL injection for user-mode hooks
Crash dump collection tools such as WerFault.exe or third-party APM agents that open PROCESS_ALL_ACCESS handles to explorer.exe during diagnostics collection

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon EventID=10 TargetImage=*\explorer.exe
| parse field=GrantedAccess "*" as GrantedAccess
| parse field=SourceImage "*" as SourceImage
| where GrantedAccess in ("0x1FFFFF", "0x001F0FFF", "0x1F3FFF", "0x0020", "0x1F1FFF", "0x143A")
| where !(SourceImage matches "(?i).*(explorer|csrss|dwm|winlogon|ShellExperienceHost|SearchUI|sihost|taskhostw|RuntimeBroker)\.exe$")
| eval SeverityLabel = if(GrantedAccess = "0x1FFFFF", "Critical - PROCESS_ALL_ACCESS to explorer",
    if(GrantedAccess = "0x0020", "High - PROCESS_VM_WRITE to explorer",
    "Medium - Suspicious cross-process handle to explorer"))
| fields _messageTime, _sourceHost, User, SourceImage, TargetImage, GrantedAccess, SeverityLabel
| sort by _messageTime desc

high severity medium confidence

Data Sources

Microsoft-Windows-Sysmon

Required Tables

_sourceCategory=windows/sysmon

False Positives

Endpoint security products that inject user-mode hooks into explorer.exe for behavioral monitoring require VM_WRITE access and will generate Event ID 10 matches if not excluded by SourceImage path
Remote desktop or session management software (e.g., TeamViewer, AnyDesk) that hooks into the Windows shell process for screen capture or accessibility integration
Software installers and self-updating applications that temporarily open high-privilege handles to explorer.exe during shell extension registration or COM object initialization

Google Chronicle / SecOps

yaral

rule list_planting_explorer_process_access {
  meta:
    author = "Detection Engineering"
    description = "Detects ListPlanting T1055.015 via suspicious cross-process PROCESS_OPEN events targeting explorer.exe with access masks that include write or all-access rights needed to inject code into SysListView32 controls"
    mitre_attack_tactic = "Defense Evasion, Privilege Escalation"
    mitre_attack_technique = "T1055.015"
    severity = "HIGH"
    confidence = "HIGH"
    rule_version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_OPEN"
    $e.target.process.file.full_path = /(?i).*\\explorer\.exe$/
    not $e.principal.process.file.full_path = /(?i).*\\(explorer|csrss|dwm|winlogon|ShellExperienceHost|SearchUI|sihost|taskhostw|RuntimeBroker)\.exe$/
    (
      $e.additional.fields["GrantedAccess"] = "0x1FFFFF" or
      $e.additional.fields["GrantedAccess"] = "0x001F0FFF" or
      $e.additional.fields["GrantedAccess"] = "0x1F3FFF" or
      $e.additional.fields["GrantedAccess"] = "0x0020" or
      $e.additional.fields["GrantedAccess"] = "0x1F1FFF" or
      $e.additional.fields["GrantedAccess"] = "0x143A"
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Microsoft-Windows-Sysmon Windows Event Logs

Required Tables

UDM Events (event_type: PROCESS_OPEN)

False Positives

Endpoint detection and response platform agents that open handles to explorer.exe with PROCESS_ALL_ACCESS for live memory forensics or behavioral telemetry collection
Windows accessibility features such as Narrator or Magnifier that inject into the shell process, and third-party screen readers that require VM_WRITE to render accessible overlays
Enterprise application delivery platforms (e.g., Citrix Virtual Apps, VMware App Volumes) that hook into explorer.exe during application layer attachment, requiring elevated process access

CrowdStrike LogScale (CQL)

cql

#event_simpleName=InjectedThread
| TargetImageFileName = /\\explorer\.exe$/i
| not SourceImageFileName = /\\(explorer|csrss|dwm|winlogon|ShellExperienceHost|SearchUI|sihost|taskhostw|RuntimeBroker)\.exe$/i
| eval SeverityLabel = "Critical - Thread injected into explorer.exe (ListPlanting execution vector)"
| groupBy(
    [ComputerName, UserName, SourceImageFileName, TargetImageFileName, SeverityLabel],
    function=[count(as=InjectionCount), collect(SourceProcessId)]
  )
| sort(field=InjectionCount, order=desc)
| union [
    #event_simpleName=ProcessRollup2
    | CommandLine = /(?i)(SysListView32|LVM_SORTITEMS|ListView_SortItems|LVM_SETITEMPOSITION|LVM_GETITEMPOSITION).*(inject|payload|shellcode|VirtualAllocEx|WriteProcessMemory)/
    | not ImageFileName = /\\(explorer|csrss|dwm|winlogon|svchost|SearchUI)\.exe$/i
    | eval SeverityLabel = "High - Process command line references ListPlanting API patterns"
    | groupBy(
        [ComputerName, UserName, ImageFileName, CommandLine, SeverityLabel],
        function=count(as=HitCount)
      )
  ]

critical severity high confidence

Data Sources

CrowdStrike Falcon Sensor

Required Tables

InjectedThread ProcessRollup2

False Positives

Authorized red team or penetration testing activity using Cobalt Strike, Metasploit, or custom tools performing ListPlanting as part of an approved engagement against test systems
Legitimate security research tools or process monitors (e.g., Process Hacker, Sysinternals Process Explorer) that inject monitoring threads into explorer.exe for introspection
Application compatibility and DPI scaling solutions that inject threads into explorer.exe to normalize rendering behavior across mixed-DPI environments on enterprise systems

ListPlanting

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections