Skip to content

DET0331 Detection Strategy for ListPlanting Injection on Windows

Item Value
ID DET0331
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1055.015 (ListPlanting)

Analytics

Windows

AN0941

Detects the use of message-based injection by monitoring for sequences involving FindWindow (EnumWindows or EnumChildWindows), VirtualAllocEx or related API calls, combined with suspicious PostMessage/SendMessage (e.g., LVM_SETITEMPOSITION) use to SysListView32 controls, followed by LVM_SORTITEMS invocation instead of WriteProcessMemory.

Log Sources
Data Component Name Channel
Process Access (DC0035) WinEventLog:Sysmon EventCode=10
Process Modification (DC0020) WinEventLog:Sysmon EventCode=8
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
OS API Execution (DC0021) etw:Microsoft-Windows-Win32k SendMessage, PostMessage, LVM_*
Mutable Elements
Field Description
TimeWindow_PostMessage_to_LVM_SORTITEMS Defines temporal distance between payload copy and execution trigger
TargetWindowClassName Restrict detection to SysListView32 or similar GUI elements
UserContextAnomalyThreshold Adjusts detection sensitivity to users sending window messages across session boundaries
InterprocessWindowMessagingFrequency Raise alert when rate of message-passing to foreign GUI processes exceeds baseline