title: ListPlanting (T1055.015)
id: df00tech-t1055-015
status: experimental
description: "Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. ListPlanting is a method of executing arbitrary code in the address space of a separate live process. It is a form of message-passing 'shatter attack' that copies code into the virtual address space of a process that uses a list-view control (SysListView32), then uses that code as a custom callback for sorting the listed items. Some variations use window messages (PostMessage/SendMessage with LVM_SETITEMPOSITION and LVM_GETITEMPOSITION) to copy the payload 2 bytes at a time, avoiding the use of the highly monitored WriteProcessMemory function. Execution is triggered by sending the LVM_SORTITEMS message to the SysListView32 control with the payload address as the callback."
references:
  - https://attack.mitre.org/techniques/T1055/015/
  - https://df00tech.com/detections/T1055.015
author: df00tech
date: 2026/04/16
tags:
  - attack.t1055.015
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate applications using SendMessage to interact with list-view controls for UI automation
  - Accessibility tools sending window messages to SysListView32 for screen reading
  - "Test automation frameworks (AutoIt, AutoHotkey) interacting with list-view controls"
  - "Windows shell extensions communicating with explorer's list-view for file management"
level: high