T1055.015 IBM QRadar · QRadar

Detect ListPlanting in IBM QRadar

Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. ListPlanting is a method of executing arbitrary code in the address space of a separate live process. It is a form of message-passing 'shatter attack' that copies code into the virtual address space of a process that uses a list-view control (SysListView32), then uses that code as a custom callback for sorting the listed items. Some variations use window messages (PostMessage/SendMessage with LVM_SETITEMPOSITION and LVM_GETITEMPOSITION) to copy the payload 2 bytes at a time, avoiding the use of the highly monitored WriteProcessMemory function. Execution is triggered by sending the LVM_SORTITEMS message to the SysListView32 control with the payload address as the callback.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1055 Process Injection
Sub-technique
T1055.015 ListPlanting
Canonical reference
https://attack.mitre.org/techniques/T1055/015/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  "SourceImage" AS ListPlanter,
  "TargetImage" AS Target,
  "GrantedAccess",
  username,
  sourceip AS HostIP,
  QIDNAME(qid) AS EventName,
  CASE
    WHEN "GrantedAccess" = '0x1FFFFF' THEN 'Critical - PROCESS_ALL_ACCESS to explorer (ListPlanting requires VM_WRITE + VM_OPERATION)'
    WHEN "GrantedAccess" = '0x0020'   THEN 'High - PROCESS_VM_WRITE to explorer (needed for VirtualAllocEx or message-based copy)'
    ELSE 'Medium - Suspicious cross-process handle to explorer'
  END AS ListPlantIndicator
FROM events
WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%'
  AND "EventID" = '10'
  AND "TargetImage" ILIKE '%\\explorer.exe'
  AND "GrantedAccess" IN ('0x1FFFFF', '0x001F0FFF', '0x1F3FFF', '0x0020', '0x1F1FFF', '0x143A')
  AND "SourceImage" NOT ILIKE '%\\explorer.exe'
  AND "SourceImage" NOT ILIKE '%\\csrss.exe'
  AND "SourceImage" NOT ILIKE '%\\dwm.exe'
  AND "SourceImage" NOT ILIKE '%\\winlogon.exe'
  AND "SourceImage" NOT ILIKE '%\\ShellExperienceHost.exe'
  AND "SourceImage" NOT ILIKE '%\\SearchUI.exe'
  AND "SourceImage" NOT ILIKE '%\\sihost.exe'
  AND "SourceImage" NOT ILIKE '%\\taskhostw.exe'
  AND "SourceImage" NOT ILIKE '%\\RuntimeBroker.exe'
LAST 24 HOURS
ORDER BY starttime DESC
high severity high confidence

QRadar AQL query targeting Sysmon Event ID 10 (Process Access) from non-system processes opening explorer.exe with access masks that include write or all-access rights required for ListPlanting. The CASE expression classifies severity based on the specific granted access mask, mirroring the analyst workflow from the SPL rule.

Data Sources

Microsoft Windows SysmonWindows Event Log

Required Tables

events

False Positives & Tuning

  • Enterprise endpoint management agents (Tanium, BigFix, SCCM) that perform process inspection against explorer.exe and may open broad handles during software deployment or patching workflows
  • Windows Defender or third-party AV products that open handles to explorer.exe with high access rights during real-time protection scanning or DLL injection for user-mode hooks
  • Crash dump collection tools such as WerFault.exe or third-party APM agents that open PROCESS_ALL_ACCESS handles to explorer.exe during diagnostics collection
Download portable Sigma rule (.yml)

Other platforms for T1055.015

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enumerate SysListView32 Controls in Explorer

    Expected signal: Sysmon Event ID 1: PowerShell execution with FindWindowW and FindWindowExW in command line. ETW: User32 API calls for FindWindow targeting Shell_TrayWnd and SysListView32.

  2. Test 2Cross-Process Memory Allocation in Explorer

    Expected signal: Sysmon Event ID 1: PowerShell execution. No actual cross-process operations performed. In a real attack: Sysmon Event ID 10 (ProcessAccess) from the injecting process to explorer.exe.

  3. Test 3Window Message Injection Simulation

    Expected signal: Sysmon Event ID 1: PowerShell with SendMessageW and SysListView32 references. The LVM_GETITEMCOUNT (0x1004) message is read-only and safe. In a real attack: LVM_SORTITEMS (0x1026) would trigger payload execution.

Last updated: 2026-04-16 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1055.015 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1055Process Injection

Related Sub-techniques

T1055.001Dynamic-link Library InjectionT1055.002Portable Executable InjectionT1055.003Thread Execution HijackingT1055.004Asynchronous Procedure CallT1055.005Thread Local StorageT1055.008Ptrace System CallsT1055.009Proc MemoryT1055.011Extra Window Memory InjectionT1055.012Process HollowingT1055.013Process DoppelgangingT1055.014VDSO Hijacking

Related Techniques

T1055Process InjectionT1055.011Extra Window Memory InjectionT1055.001Dynamic-link Library InjectionT1055.002Portable Executable InjectionT1559Inter-Process Communication

Same Tactic: Defense Evasion

Popular Detections