Detect ListPlanting in CrowdStrike LogScale
Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. ListPlanting is a method of executing arbitrary code in the address space of a separate live process. It is a form of message-passing 'shatter attack' that copies code into the virtual address space of a process that uses a list-view control (SysListView32), then uses that code as a custom callback for sorting the listed items. Some variations use window messages (PostMessage/SendMessage with LVM_SETITEMPOSITION and LVM_GETITEMPOSITION) to copy the payload 2 bytes at a time, avoiding the use of the highly monitored WriteProcessMemory function. Execution is triggered by sending the LVM_SORTITEMS message to the SysListView32 control with the payload address as the callback.
MITRE ATT&CK
- Technique
- T1055 Process Injection
- Sub-technique
- T1055.015 ListPlanting
- Canonical reference
- https://attack.mitre.org/techniques/T1055/015/
LogScale Detection Query
#event_simpleName=InjectedThread
| TargetImageFileName = /\\explorer\.exe$/i
| not SourceImageFileName = /\\(explorer|csrss|dwm|winlogon|ShellExperienceHost|SearchUI|sihost|taskhostw|RuntimeBroker)\.exe$/i
| eval SeverityLabel = "Critical - Thread injected into explorer.exe (ListPlanting execution vector)"
| groupBy(
[ComputerName, UserName, SourceImageFileName, TargetImageFileName, SeverityLabel],
function=[count(as=InjectionCount), collect(SourceProcessId)]
)
| sort(field=InjectionCount, order=desc)
| union [
#event_simpleName=ProcessRollup2
| CommandLine = /(?i)(SysListView32|LVM_SORTITEMS|ListView_SortItems|LVM_SETITEMPOSITION|LVM_GETITEMPOSITION).*(inject|payload|shellcode|VirtualAllocEx|WriteProcessMemory)/
| not ImageFileName = /\\(explorer|csrss|dwm|winlogon|svchost|SearchUI)\.exe$/i
| eval SeverityLabel = "High - Process command line references ListPlanting API patterns"
| groupBy(
[ComputerName, UserName, ImageFileName, CommandLine, SeverityLabel],
function=count(as=HitCount)
)
]CrowdStrike LogScale (Falcon) query detecting ListPlanting T1055.015 using two correlated sub-queries unioned together: (1) InjectedThread events targeting explorer.exe from non-system processes, catching successful thread injection into the SysListView32 host process; (2) ProcessRollup2 command-line events matching ListPlanting-specific API patterns including SysListView32 control name and LVM_ window message constants combined with memory injection keywords.
Data Sources
Required Tables
False Positives & Tuning
- Authorized red team or penetration testing activity using Cobalt Strike, Metasploit, or custom tools performing ListPlanting as part of an approved engagement against test systems
- Legitimate security research tools or process monitors (e.g., Process Hacker, Sysinternals Process Explorer) that inject monitoring threads into explorer.exe for introspection
- Application compatibility and DPI scaling solutions that inject threads into explorer.exe to normalize rendering behavior across mixed-DPI environments on enterprise systems
Other platforms for T1055.015
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enumerate SysListView32 Controls in Explorer
Expected signal: Sysmon Event ID 1: PowerShell execution with FindWindowW and FindWindowExW in command line. ETW: User32 API calls for FindWindow targeting Shell_TrayWnd and SysListView32.
- Test 2Cross-Process Memory Allocation in Explorer
Expected signal: Sysmon Event ID 1: PowerShell execution. No actual cross-process operations performed. In a real attack: Sysmon Event ID 10 (ProcessAccess) from the injecting process to explorer.exe.
- Test 3Window Message Injection Simulation
Expected signal: Sysmon Event ID 1: PowerShell with SendMessageW and SysListView32 references. The LVM_GETITEMCOUNT (0x1004) message is read-only and safe. In a real attack: LVM_SORTITEMS (0x1026) would trigger payload execution.
References (5)
- https://attack.mitre.org/techniques/T1055/015/
- https://www.hexacorn.com/blog/2019/04/25/listplanting-yet-another-code-injection-trick/
- https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
- https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
- https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
Unlock Pro Content
Get the full detection package for T1055.015 including response playbook, investigation guide, and atomic red team tests.