Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0941: Analytic 0941

Detects the use of message-based injection by monitoring for sequences involving FindWindow (EnumWindows or EnumChildWindows), VirtualAllocEx or related API calls, combined with suspicious PostMessage/SendMessage (e.g., LVM_SETITEMPOSITION) use to SysListView32 controls, followed by LVM_SORTITEMS invocation instead of WriteProcessMemory.

EnterpriseAN0941AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it focuses on a Windows process-injection pattern that may avoid more familiar memory-write indicators. Instead of relying on WriteProcessMemory, the described behavior combines window enumeration, remote memory allocation, and suspicious Windows message activity against SysListView32 controls. For leaders, the practical question is whether endpoint telemetry and SOC logic can see this less common injection path, not just the standard injection techniques already covered by EDR rules.

Executive priority

Treat this as a coverage-validation item for Windows endpoint detection and incident response readiness. It can help security leaders ask whether current tooling captures user-interface message activity and relevant API sequences well enough to support investigation, containment, and audit evidence. Because ATT&CK provides no tactic, relationship context, or exploitation claims for this analytic, it should be prioritized as a defensive detection engineering gap assessment rather than as evidence of a specific campaign or actor risk.

Technical view

Validate whether Windows telemetry can correlate sequences involving FindWindow, EnumWindows, or EnumChildWindows; VirtualAllocEx or related allocation APIs; suspicious PostMessage or SendMessage usage such as LVM_SETITEMPOSITION against SysListView32 controls; and subsequent LVM_SORTITEMS behavior, especially where WriteProcessMemory is absent. SOC teams should test whether existing endpoint rules over-focus on classic remote memory write patterns and miss message-based injection indicators. Detection engineering should also account for benign applications that automate or manipulate GUI controls to reduce false positives.

Likely telemetry

  • Windows endpoint API call telemetry for window discovery functions such as FindWindow, EnumWindows, and EnumChildWindows
  • Windows endpoint API call telemetry for VirtualAllocEx or related remote allocation activity
  • Message activity involving PostMessage or SendMessage
  • Windows control/message context for SysListView32, including LVM_SETITEMPOSITION and LVM_SORTITEMS
  • Process lineage and target-process context around the observed API sequence

Detection direction

  • Confirm the SOC can correlate multiple API and message events into a sequence rather than alerting on isolated calls.
  • Tune for the combination of remote allocation plus suspicious message activity to SysListView32 controls, as described in the ATT&CK analytic.
  • Review detection assumptions that require WriteProcessMemory, since this analytic explicitly describes behavior using LVM_SORTITEMS instead.
  • Baseline legitimate GUI automation, accessibility tools, testing frameworks, and administrative utilities that may use window enumeration or message-sending APIs.
  • Because no official detection logic is supplied, require local validation with available EDR or Windows telemetry before claiming coverage.

Mitigation priorities

  • Prioritize endpoint visibility: ensure Windows EDR or equivalent telemetry can capture the API and message classes needed for this analytic.
  • Strengthen detection engineering around process injection patterns that do not depend on WriteProcessMemory indicators.
  • Maintain allowlists or behavioral baselines for approved GUI automation and accessibility software to support reliable triage.
  • Prepare incident response playbooks to collect process lineage, loaded modules, target process context, and correlated endpoint timelines when this pattern is observed.
  • Use the analytic as compliance and assurance evidence only after confirming that telemetry retention, alerting, and analyst procedures are in place.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for Windows and provides a concise behavioral description but no official detection logic, tactics, or relationship context. The main value is as a hypothesis for coverage testing: can defenders see message-based injection sequences that may not include the classic WriteProcessMemory signal?

No active exploitation, attribution, affected software list, tactics, mitigations, or related techniques were supplied. The object also states that official detection is not provided. Any prioritization beyond Windows endpoint detection coverage requires local telemetry, business process context, and validation in the organization’s environment.

Official MITRE ATT&CK definition

Analytic 0941

Detects the use of message-based injection by monitoring for sequences involving FindWindow (EnumWindows or EnumChildWindows), VirtualAllocEx or related API calls, combined with suspicious PostMessage/SendMessage (e.g., LVM_SETITEMPOSITION) use to SysListView32 controls, followed by LVM_SORTITEMS invocation instead of WriteProcessMemory.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
c41fa5fbf91ed090...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle c41fa5fbf91e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0941
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use