DET0331: Detection Strategy for ListPlanting Injection on Windows
DET0331 is a MITRE detection strategy for identifying ListPlanting injection on Windows, a process injection behavior where malicious code can run inside a...
Analyst context for executives and security teams
DET0331 is a MITRE detection strategy for identifying ListPlanting injection on Windows, a process injection behavior where malicious code can run inside another live process and appear to come from a legitimate process. The business significance is that process-based allow/deny assumptions and basic endpoint visibility may be insufficient if teams cannot see cross-process manipulation and suspicious execution context.
Executive priority
Treat this as a validation item for endpoint detection and incident response readiness rather than as a standalone threat claim. Leaders should ask whether Windows endpoint telemetry, SOC procedures, and IR playbooks can distinguish legitimate process activity from code executing in a hijacked process. This matters for control assurance, privilege-escalation risk review, and evidence that endpoint monitoring covers stealthy injection behaviors.
Technical view
The supplied ATT&CK object has no official detection text, but it explicitly detects T1055.015 ListPlanting, which is associated with stealth and privilege escalation on Windows. SOC and detection teams should validate coverage around process injection indicators, especially cases where activity is masked under a legitimate process. Prioritize correlation of process lineage, process access behavior, loaded modules or memory-related evidence where available, and anomalous GUI/list-view control interaction patterns only where the environment can reliably collect such data.
Likely telemetry
- Windows endpoint process creation and parent/child process lineage
- Process access and cross-process interaction events
- Module load or image load telemetry
- Memory or code-injection related endpoint security events
- User session and interactive desktop context where available
Detection direction
- Confirm whether current detections cover T1055.015 specifically or only generic process injection.
- Tune analytics to account for legitimate software that interacts with other processes to reduce false positives.
- Correlate suspicious execution under trusted processes with unusual lineage, access patterns, privilege context, or module/memory behavior.
- Review blind spots where endpoint telemetry is absent, filtered, or unavailable for interactive desktop/UI-driven activity.
- Use the relationship to T1055.015 to map this strategy into broader process injection detection coverage and ATT&CK reporting.
Mitigation priorities
- Prioritize endpoint visibility and retention sufficient to investigate process injection on Windows.
- Harden privileged Windows systems and monitor processes running with elevated rights because the related technique is linked to privilege escalation.
- Review application control and endpoint protection assumptions that rely only on process identity.
- Ensure IR playbooks include triage steps for suspicious activity occurring inside otherwise legitimate processes.
- Document detection gaps and compensating controls for compliance or risk reporting when ListPlanting-specific coverage is not available.
Analyst notes and limits
This take is based on the detection strategy metadata and its relationship to ATT&CK technique T1055.015 ListPlanting. Because MITRE did not provide an official description or detection text for DET0331 in the supplied fields, the guidance focuses on validation questions and telemetry classes implied by the related technique rather than a prescriptive analytic.
No official detection logic, tactics, platforms, or description were supplied for the detection strategy object itself. Windows, stealth, and privilege-escalation context come from the related T1055.015 technique and the object name. Local endpoint tooling, data quality, and business-critical process baselines are required to determine actual coverage.
Detection Strategy for ListPlanting Injection on Windows
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1055.015 | ListPlanting Sub-technique | This object detects ListPlanting. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 73ab0f86d673… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0331Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.