T1055.015: ListPlanting
Essential information
- MITRE technique ID
T1055.015- Confidence
- 100/100
- Revoked
- No
- Published
- 22/11/2021 16:02
- Modified
- 27/03/2026 01:12
- Author / Source
- The MITRE Corporation
Platforms
windows
Description
Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. ListPlanting is a method of executing arbitrary code in the address space of a separate live process.(Citation: Hexacorn Listplanting) Code executed via ListPlanting may also evade detection from security products since the execution is masked under a legitimate process.
List-view controls are user interface windows used to display collections of items.(Citation: Microsoft List View Controls) Information about an application's list-view settings are stored within the process' memory in a `SysListView32` control.
ListPlanting (a form of message-passing "shatter attack") may be performed by copying code into the virtual address space of a process that uses a list-view control then using that code as a custom callback for sorting the listed items.(Citation: Modexp Windows Process Injection) Adversaries must first copy code into the target process’ memory space, which can be performed various ways including by directly obtaining a handle to the `SysListView32` child of the victim process window (via Windows API calls such as `FindWindow` and/or `EnumWindows`) or other [Process Injection](https://attack.mitre.org/techniques/T1055) methods.
Some variations of ListPlanting may allocate memory in the target process but then use window messages to copy the payload, to avoid the use of the highly monitored `WriteProcessMemory` function. For example, an adversary can use the `PostMessage` and/or `SendMessage` API functions to send `LVM_SETITEMPOSITION` and `LVM_GETITEMPOSITION` messages, effectively copying a payload 2 bytes at a time to the allocated memory.(Citation: ESET InvisiMole June 2020)
Finally, the payload is triggered by sending the `LVM_SORTITEMS` message to the `SysListView32` child of the process window, with the payload within the newly allocated buffer passed and executed as the `ListView_SortItems` callback.
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | defense-evasion |
| mitre-attack | privilege-escalation |
Marking (TLP)
Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.