T1055.015 Elastic Security · Elastic

Detect ListPlanting in Elastic Security

Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. ListPlanting is a method of executing arbitrary code in the address space of a separate live process. It is a form of message-passing 'shatter attack' that copies code into the virtual address space of a process that uses a list-view control (SysListView32), then uses that code as a custom callback for sorting the listed items. Some variations use window messages (PostMessage/SendMessage with LVM_SETITEMPOSITION and LVM_GETITEMPOSITION) to copy the payload 2 bytes at a time, avoiding the use of the highly monitored WriteProcessMemory function. Execution is triggered by sending the LVM_SORTITEMS message to the SysListView32 control with the payload address as the callback.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1055 Process Injection
Sub-technique
T1055.015 ListPlanting
Canonical reference
https://attack.mitre.org/techniques/T1055/015/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.id, winlog.event_data.SourceProcessId [maxspan=2m]
  [any where event.provider == "Microsoft-Windows-Sysmon" and event.code == "10" and
   winlog.event_data.TargetImage like~ "*\\explorer.exe" and
   winlog.event_data.GrantedAccess in ("0x1FFFFF", "0x001F0FFF", "0x1F3FFF", "0x0020", "0x1F1FFF", "0x143A") and
   not winlog.event_data.SourceImage like~ ("*\\explorer.exe", "*\\csrss.exe", "*\\dwm.exe", "*\\winlogon.exe", "*\\ShellExperienceHost.exe", "*\\SearchUI.exe", "*\\sihost.exe", "*\\taskhostw.exe", "*\\RuntimeBroker.exe", "*\\svchost.exe")]
  [any where event.provider == "Microsoft-Windows-Sysmon" and event.code == "8" and
   winlog.event_data.TargetImage like~ "*\\explorer.exe" and
   not winlog.event_data.SourceImage like~ ("*\\explorer.exe", "*\\csrss.exe", "*\\dwm.exe", "*\\winlogon.exe")]
high severity high confidence

Detects ListPlanting T1055.015 using an EQL sequence correlating Sysmon Event ID 10 (Process Access) to explorer.exe with write-capable access masks against the same source process ID that subsequently fires a Sysmon Event ID 8 (CreateRemoteThread) into explorer.exe. The sequence join on SourceProcessId ensures both events originate from the same attacker process, reducing false positives while catching the full injection lifecycle.

Data Sources

Microsoft-Windows-Sysmon

Required Tables

logs-windows.sysmon_operational-*winlogbeat-*

False Positives & Tuning

  • EDR/AV agents that open full-access handles to explorer.exe for behavioral monitoring and may also inject protective DLLs, generating both Event ID 10 and Event ID 8 in sequence
  • Accessibility software and assistive technology tools (screen readers, on-screen keyboards) that legitimately inject helper threads into the Windows shell process
  • Application virtualization or compatibility shim frameworks that hook into explorer.exe during shell integration, requiring VM_WRITE access followed by a remote thread for initialization
Download portable Sigma rule (.yml)

Other platforms for T1055.015

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enumerate SysListView32 Controls in Explorer

    Expected signal: Sysmon Event ID 1: PowerShell execution with FindWindowW and FindWindowExW in command line. ETW: User32 API calls for FindWindow targeting Shell_TrayWnd and SysListView32.

  2. Test 2Cross-Process Memory Allocation in Explorer

    Expected signal: Sysmon Event ID 1: PowerShell execution. No actual cross-process operations performed. In a real attack: Sysmon Event ID 10 (ProcessAccess) from the injecting process to explorer.exe.

  3. Test 3Window Message Injection Simulation

    Expected signal: Sysmon Event ID 1: PowerShell with SendMessageW and SysListView32 references. The LVM_GETITEMCOUNT (0x1004) message is read-only and safe. In a real attack: LVM_SORTITEMS (0x1026) would trigger payload execution.

Last updated: 2026-04-16 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1055.015 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1055Process Injection

Related Sub-techniques

T1055.001Dynamic-link Library InjectionT1055.002Portable Executable InjectionT1055.003Thread Execution HijackingT1055.004Asynchronous Procedure CallT1055.005Thread Local StorageT1055.008Ptrace System CallsT1055.009Proc MemoryT1055.011Extra Window Memory InjectionT1055.012Process HollowingT1055.013Process DoppelgangingT1055.014VDSO Hijacking

Related Techniques

T1055Process InjectionT1055.011Extra Window Memory InjectionT1055.001Dynamic-link Library InjectionT1055.002Portable Executable InjectionT1559Inter-Process Communication

Same Tactic: Defense Evasion

Popular Detections