T1055.015 Microsoft Sentinel · KQL

Detect ListPlanting in Microsoft Sentinel

Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. ListPlanting is a method of executing arbitrary code in the address space of a separate live process. It is a form of message-passing 'shatter attack' that copies code into the virtual address space of a process that uses a list-view control (SysListView32), then uses that code as a custom callback for sorting the listed items. Some variations use window messages (PostMessage/SendMessage with LVM_SETITEMPOSITION and LVM_GETITEMPOSITION) to copy the payload 2 bytes at a time, avoiding the use of the highly monitored WriteProcessMemory function. Execution is triggered by sending the LVM_SORTITEMS message to the SysListView32 control with the payload address as the callback.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1055 Process Injection
Sub-technique
T1055.015 ListPlanting
Canonical reference
https://attack.mitre.org/techniques/T1055/015/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// Detect ListPlanting via suspicious cross-process window message sending
// Key indicators: processes sending LVM_ messages to SysListView32 controls in other processes
DeviceEvents
| where Timestamp > ago(24h)
| where ActionType in ("SendMessageApiCall", "PostMessageApiCall", "CreateRemoteThreadApiCall")
| where FileName =~ "explorer.exe" or ProcessCommandLine has "SysListView32"
| where InitiatingProcessFileName !in~ ("explorer.exe", "csrss.exe", "dwm.exe", "winlogon.exe", "ShellExperienceHost.exe", "SearchUI.exe", "taskhostw.exe")
| project Timestamp, DeviceName, AccountName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName
| sort by Timestamp desc
| union (
    // Also detect FindWindow targeting SysListView32
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where ProcessCommandLine has_any ("SysListView32", "LVM_SORTITEMS", "ListView_SortItems", "FindWindow", "EnumWindows")
    | where ProcessCommandLine has_any ("inject", "payload", "shellcode", "VirtualAllocEx", "WriteProcessMemory")
    | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
)
| sort by Timestamp desc
high severity medium confidence

Detects ListPlanting by monitoring for cross-process window message sending (SendMessage/PostMessage) targeting explorer.exe or SysListView32 controls from non-Explorer processes. Also detects processes with command lines containing ListPlanting-related API names and SysListView32 references. ListPlanting uses LVM_SETITEMPOSITION messages to copy shellcode 2 bytes at a time and LVM_SORTITEMS to trigger execution.

Data Sources

Process: OS API ExecutionProcess: Process AccessMicrosoft Defender for Endpoint

Required Tables

DeviceEventsDeviceProcessEvents

False Positives & Tuning

  • Legitimate applications using SendMessage to interact with list-view controls for UI automation
  • Accessibility tools sending window messages to SysListView32 for screen reading
  • Test automation frameworks (AutoIt, AutoHotkey) interacting with list-view controls
  • Windows shell extensions communicating with explorer's list-view for file management
Download portable Sigma rule (.yml)

Other platforms for T1055.015

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enumerate SysListView32 Controls in Explorer

    Expected signal: Sysmon Event ID 1: PowerShell execution with FindWindowW and FindWindowExW in command line. ETW: User32 API calls for FindWindow targeting Shell_TrayWnd and SysListView32.

  2. Test 2Cross-Process Memory Allocation in Explorer

    Expected signal: Sysmon Event ID 1: PowerShell execution. No actual cross-process operations performed. In a real attack: Sysmon Event ID 10 (ProcessAccess) from the injecting process to explorer.exe.

  3. Test 3Window Message Injection Simulation

    Expected signal: Sysmon Event ID 1: PowerShell with SendMessageW and SysListView32 references. The LVM_GETITEMCOUNT (0x1004) message is read-only and safe. In a real attack: LVM_SORTITEMS (0x1026) would trigger payload execution.

Last updated: 2026-04-16 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1055.015 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1055Process Injection

Related Sub-techniques

T1055.001Dynamic-link Library InjectionT1055.002Portable Executable InjectionT1055.003Thread Execution HijackingT1055.004Asynchronous Procedure CallT1055.005Thread Local StorageT1055.008Ptrace System CallsT1055.009Proc MemoryT1055.011Extra Window Memory InjectionT1055.012Process HollowingT1055.013Process DoppelgangingT1055.014VDSO Hijacking

Related Techniques

T1055Process InjectionT1055.011Extra Window Memory InjectionT1055.001Dynamic-link Library InjectionT1055.002Portable Executable InjectionT1559Inter-Process Communication

Same Tactic: Defense Evasion

Popular Detections