T1055.015 Splunk · SPL

Detect ListPlanting in Splunk

Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. ListPlanting is a method of executing arbitrary code in the address space of a separate live process. It is a form of message-passing 'shatter attack' that copies code into the virtual address space of a process that uses a list-view control (SysListView32), then uses that code as a custom callback for sorting the listed items. Some variations use window messages (PostMessage/SendMessage with LVM_SETITEMPOSITION and LVM_GETITEMPOSITION) to copy the payload 2 bytes at a time, avoiding the use of the highly monitored WriteProcessMemory function. Execution is triggered by sending the LVM_SORTITEMS message to the SysListView32 control with the payload address as the callback.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1055 Process Injection
Sub-technique
T1055.015 ListPlanting
Canonical reference
https://attack.mitre.org/techniques/T1055/015/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=10
  TargetImage="*\\explorer.exe"
| where GrantedAccess IN ("0x1FFFFF", "0x001F0FFF", "0x1F3FFF", "0x0020", "0x1F1FFF", "0x143A")
| rename SourceImage as ListPlanter, TargetImage as Target
| search NOT ListPlanter IN ("*\\explorer.exe", "*\\csrss.exe", "*\\dwm.exe", "*\\winlogon.exe", "*\\ShellExperienceHost.exe", "*\\SearchUI.exe", "*\\sihost.exe", "*\\taskhostw.exe", "*\\RuntimeBroker.exe")
| eval ListPlantIndicator=case(
    GrantedAccess="0x1FFFFF", "Critical - PROCESS_ALL_ACCESS to explorer (ListPlanting requires VM_WRITE + VM_OPERATION)",
    match(GrantedAccess, "0x0020"), "High - PROCESS_VM_WRITE to explorer (needed for VirtualAllocEx or message-based copy)",
    1=1, "Medium - Suspicious cross-process access to explorer"
)
| table _time, host, User, ListPlanter, Target, GrantedAccess, ListPlantIndicator
| sort - _time
high severity medium confidence

Detects potential ListPlanting via Sysmon Event ID 10 (ProcessAccess) monitoring cross-process access to explorer.exe from non-system processes. ListPlanting requires either direct memory write access (VirtualAllocEx) or the ability to send window messages (which requires process handle access) to explorer.exe's SysListView32 control. The detection focuses on the prerequisite process access rather than the window messages themselves, since Sysmon doesn't directly log SendMessage calls.

Data Sources

Process: Process AccessSysmon Event ID 10

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Shell extensions accessing explorer.exe for integration
  • Accessibility tools accessing explorer for screen reading
  • UI automation frameworks interacting with explorer
  • File management tools communicating with explorer's file list view
Download portable Sigma rule (.yml)

Other platforms for T1055.015

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enumerate SysListView32 Controls in Explorer

    Expected signal: Sysmon Event ID 1: PowerShell execution with FindWindowW and FindWindowExW in command line. ETW: User32 API calls for FindWindow targeting Shell_TrayWnd and SysListView32.

  2. Test 2Cross-Process Memory Allocation in Explorer

    Expected signal: Sysmon Event ID 1: PowerShell execution. No actual cross-process operations performed. In a real attack: Sysmon Event ID 10 (ProcessAccess) from the injecting process to explorer.exe.

  3. Test 3Window Message Injection Simulation

    Expected signal: Sysmon Event ID 1: PowerShell with SendMessageW and SysListView32 references. The LVM_GETITEMCOUNT (0x1004) message is read-only and safe. In a real attack: LVM_SORTITEMS (0x1026) would trigger payload execution.

Last updated: 2026-04-16 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1055.015 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1055Process Injection

Related Sub-techniques

T1055.001Dynamic-link Library InjectionT1055.002Portable Executable InjectionT1055.003Thread Execution HijackingT1055.004Asynchronous Procedure CallT1055.005Thread Local StorageT1055.008Ptrace System CallsT1055.009Proc MemoryT1055.011Extra Window Memory InjectionT1055.012Process HollowingT1055.013Process DoppelgangingT1055.014VDSO Hijacking

Related Techniques

T1055Process InjectionT1055.011Extra Window Memory InjectionT1055.001Dynamic-link Library InjectionT1055.002Portable Executable InjectionT1559Inter-Process Communication

Same Tactic: Defense Evasion

Popular Detections