T1055.015 Google Chronicle · YARA-L

Detect ListPlanting in Google Chronicle

Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. ListPlanting is a method of executing arbitrary code in the address space of a separate live process. It is a form of message-passing 'shatter attack' that copies code into the virtual address space of a process that uses a list-view control (SysListView32), then uses that code as a custom callback for sorting the listed items. Some variations use window messages (PostMessage/SendMessage with LVM_SETITEMPOSITION and LVM_GETITEMPOSITION) to copy the payload 2 bytes at a time, avoiding the use of the highly monitored WriteProcessMemory function. Execution is triggered by sending the LVM_SORTITEMS message to the SysListView32 control with the payload address as the callback.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1055 Process Injection
Sub-technique
T1055.015 ListPlanting
Canonical reference
https://attack.mitre.org/techniques/T1055/015/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule list_planting_explorer_process_access {
  meta:
    author = "Detection Engineering"
    description = "Detects ListPlanting T1055.015 via suspicious cross-process PROCESS_OPEN events targeting explorer.exe with access masks that include write or all-access rights needed to inject code into SysListView32 controls"
    mitre_attack_tactic = "Defense Evasion, Privilege Escalation"
    mitre_attack_technique = "T1055.015"
    severity = "HIGH"
    confidence = "HIGH"
    rule_version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_OPEN"
    $e.target.process.file.full_path = /(?i).*\\explorer\.exe$/
    not $e.principal.process.file.full_path = /(?i).*\\(explorer|csrss|dwm|winlogon|ShellExperienceHost|SearchUI|sihost|taskhostw|RuntimeBroker)\.exe$/
    (
      $e.additional.fields["GrantedAccess"] = "0x1FFFFF" or
      $e.additional.fields["GrantedAccess"] = "0x001F0FFF" or
      $e.additional.fields["GrantedAccess"] = "0x1F3FFF" or
      $e.additional.fields["GrantedAccess"] = "0x0020" or
      $e.additional.fields["GrantedAccess"] = "0x1F1FFF" or
      $e.additional.fields["GrantedAccess"] = "0x143A"
    )

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting ListPlanting T1055.015 by matching UDM PROCESS_OPEN events where a non-system process opens explorer.exe with access masks consistent with memory write operations. Uses UDM principal/target model to correlate source and destination processes, and additional.fields to inspect the raw GrantedAccess value from Sysmon Event ID 10 ingested via Chronicle Forwarder.

Data Sources

Microsoft-Windows-SysmonWindows Event Logs

Required Tables

UDM Events (event_type: PROCESS_OPEN)

False Positives & Tuning

  • Endpoint detection and response platform agents that open handles to explorer.exe with PROCESS_ALL_ACCESS for live memory forensics or behavioral telemetry collection
  • Windows accessibility features such as Narrator or Magnifier that inject into the shell process, and third-party screen readers that require VM_WRITE to render accessible overlays
  • Enterprise application delivery platforms (e.g., Citrix Virtual Apps, VMware App Volumes) that hook into explorer.exe during application layer attachment, requiring elevated process access
Download portable Sigma rule (.yml)

Other platforms for T1055.015

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enumerate SysListView32 Controls in Explorer

    Expected signal: Sysmon Event ID 1: PowerShell execution with FindWindowW and FindWindowExW in command line. ETW: User32 API calls for FindWindow targeting Shell_TrayWnd and SysListView32.

  2. Test 2Cross-Process Memory Allocation in Explorer

    Expected signal: Sysmon Event ID 1: PowerShell execution. No actual cross-process operations performed. In a real attack: Sysmon Event ID 10 (ProcessAccess) from the injecting process to explorer.exe.

  3. Test 3Window Message Injection Simulation

    Expected signal: Sysmon Event ID 1: PowerShell with SendMessageW and SysListView32 references. The LVM_GETITEMCOUNT (0x1004) message is read-only and safe. In a real attack: LVM_SORTITEMS (0x1026) would trigger payload execution.

Last updated: 2026-04-16 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1055.015 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1055Process Injection

Related Sub-techniques

T1055.001Dynamic-link Library InjectionT1055.002Portable Executable InjectionT1055.003Thread Execution HijackingT1055.004Asynchronous Procedure CallT1055.005Thread Local StorageT1055.008Ptrace System CallsT1055.009Proc MemoryT1055.011Extra Window Memory InjectionT1055.012Process HollowingT1055.013Process DoppelgangingT1055.014VDSO Hijacking

Related Techniques

T1055Process InjectionT1055.011Extra Window Memory InjectionT1055.001Dynamic-link Library InjectionT1055.002Portable Executable InjectionT1559Inter-Process Communication

Same Tactic: Defense Evasion

Popular Detections