Detect ListPlanting in Sumo Logic CSE
Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. ListPlanting is a method of executing arbitrary code in the address space of a separate live process. It is a form of message-passing 'shatter attack' that copies code into the virtual address space of a process that uses a list-view control (SysListView32), then uses that code as a custom callback for sorting the listed items. Some variations use window messages (PostMessage/SendMessage with LVM_SETITEMPOSITION and LVM_GETITEMPOSITION) to copy the payload 2 bytes at a time, avoiding the use of the highly monitored WriteProcessMemory function. Execution is triggered by sending the LVM_SORTITEMS message to the SysListView32 control with the payload address as the callback.
MITRE ATT&CK
- Technique
- T1055 Process Injection
- Sub-technique
- T1055.015 ListPlanting
- Canonical reference
- https://attack.mitre.org/techniques/T1055/015/
Sumo Detection Query
_sourceCategory=windows/sysmon EventID=10 TargetImage=*\explorer.exe
| parse field=GrantedAccess "*" as GrantedAccess
| parse field=SourceImage "*" as SourceImage
| where GrantedAccess in ("0x1FFFFF", "0x001F0FFF", "0x1F3FFF", "0x0020", "0x1F1FFF", "0x143A")
| where !(SourceImage matches "(?i).*(explorer|csrss|dwm|winlogon|ShellExperienceHost|SearchUI|sihost|taskhostw|RuntimeBroker)\.exe$")
| eval SeverityLabel = if(GrantedAccess = "0x1FFFFF", "Critical - PROCESS_ALL_ACCESS to explorer",
if(GrantedAccess = "0x0020", "High - PROCESS_VM_WRITE to explorer",
"Medium - Suspicious cross-process handle to explorer"))
| fields _messageTime, _sourceHost, User, SourceImage, TargetImage, GrantedAccess, SeverityLabel
| sort by _messageTime descSumo Logic query detecting ListPlanting T1055.015 by searching Sysmon Event ID 10 logs for cross-process access to explorer.exe with write-capable access masks. Uses parse to extract the GrantedAccess field from raw Sysmon XML and eval to classify severity. Excludes known legitimate Windows shell and session manager processes to reduce noise.
Data Sources
Required Tables
False Positives & Tuning
- Endpoint security products that inject user-mode hooks into explorer.exe for behavioral monitoring require VM_WRITE access and will generate Event ID 10 matches if not excluded by SourceImage path
- Remote desktop or session management software (e.g., TeamViewer, AnyDesk) that hooks into the Windows shell process for screen capture or accessibility integration
- Software installers and self-updating applications that temporarily open high-privilege handles to explorer.exe during shell extension registration or COM object initialization
Other platforms for T1055.015
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enumerate SysListView32 Controls in Explorer
Expected signal: Sysmon Event ID 1: PowerShell execution with FindWindowW and FindWindowExW in command line. ETW: User32 API calls for FindWindow targeting Shell_TrayWnd and SysListView32.
- Test 2Cross-Process Memory Allocation in Explorer
Expected signal: Sysmon Event ID 1: PowerShell execution. No actual cross-process operations performed. In a real attack: Sysmon Event ID 10 (ProcessAccess) from the injecting process to explorer.exe.
- Test 3Window Message Injection Simulation
Expected signal: Sysmon Event ID 1: PowerShell with SendMessageW and SysListView32 references. The LVM_GETITEMCOUNT (0x1004) message is read-only and safe. In a real attack: LVM_SORTITEMS (0x1026) would trigger payload execution.
References (5)
- https://attack.mitre.org/techniques/T1055/015/
- https://www.hexacorn.com/blog/2019/04/25/listplanting-yet-another-code-injection-trick/
- https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/
- https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
- https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview
Unlock Pro Content
Get the full detection package for T1055.015 including response playbook, investigation guide, and atomic red team tests.