MITRE ATT&CK T1055.015 Process Injection: ListPlanting

ListPlanting is a process injection technique that adversaries use to execute malicious code by manipulating internal data structures within the operating system. This technique involves modifying linked lists or execution queues that the OS or security tools rely on to track processes and threads. By injecting malicious code into these structures, attackers can hijack the execution flow and execute their payloads in a way that remains hidden from traditional detection mechanisms.

In this blog post, we explain the T1055.015 ListPlanting technique of the MITRE ATT&CK® framework and explore how adversaries employ ListPlanting with real-world attack examples in detail.

The Red Report 2025 The 10 Most Prevalent MITRE ATT&CK Techniques Used by Adversaries GET THE REPORT

What is List-view Control?

A list-view control is a graphical user interface (GUI) component that displays a collection of items in a structured format, allowing users to view and interact with data efficiently. Commonly found in Windows applications, it is part of the common controls library in the Windows API and is used to present lists of items with optional icons, checkboxes, and detailed sub-information.

List-view controls are widely used in file explorers, task managers, and data-driven applications, providing a flexible way to display large sets of information. They support multiple view modes, including icon view, list view, detail view, and tile view, allowing users to customize how data is presented. Developers can enhance list-view functionality with features like sorting, filtering, grouping, and user interaction events such as selection and drag-and-drop.

Attackers can exploit list-view controls to inject malicious shellcode into the hijacked processes to bypass process-based defenses and potentially gain privileges within the system.

Adversary Use of ListPlanting

ListPlanting is a form of code injection that exploits the behaviors of list-view controls within the graphical user interface elements of Windows applications. An example flow of the ListPlanting process injection technique is:

1. Initial Reconnaissance: An attacker identifies a target application with a list-view control (SysListView32) that stores and displays data in a list-like structure.

2. Memory Allocation in Target Process: Using process injection methods or API calls to obtain a handle to the SysListView32 window, the attacker allocates memory in the target process's address space. The attacker aims to use legitimate-looking system calls to avoid detection and may avoid functions like WriteProcessMemory that are closely monitored.

3. Payload Placement via Windows Messages: Instead of writing to the process's memory space directly, the attacker may use window messages (PostMessage or SendMessage) to indirectly inject the payload. These messages can be LVM_SETITEMPOSITION and LVM_GETITEMPOSITION list-view messages to copy the payload into the target process's allocated memory two bytes at a time.

4. Setting Up Execution Trigger: The malicious payload serves as a custom sorting callback to be executed when the list items are sorted. To arrange for this execution, the attacker prepares the conditions by manipulating the list-view control settings such that the malicious code will act as the callback function.

5. Triggering Payload Execution: Execution is triggered by sending an LVM_SORTITEMS message, instructing the SysListView32 to sort the items, which in turn causes the malicious callback (the payload previously injected) to be executed.

6. Execution: When the target process receives the sorting command, it unknowingly executes the payload in the callback, thereby running the attacker's code within the process. The list-view's built-in behavior to use callbacks for item sorting facilitates this stealthy execution.

Ready to Simulate Real-World Threats From Red Report 2025?