T1055.005 Thread Local Storage Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Detect TLS callback abuse indicators
// TLS callbacks execute before the main entry point - look for suspicious process behavior
// immediately after creation (network connections, file writes before expected initialization)
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("svchost.exe", "rundll32.exe", "regsvr32.exe", "dllhost.exe", "explorer.exe")
| where InitiatingProcessFileName !in~ ("services.exe", "svchost.exe", "explorer.exe", "winlogon.exe")
| join kind=inner (
    DeviceNetworkEvents
    | where Timestamp > ago(24h)
    | where RemoteIPType == "Public"
    | project NetTime=Timestamp, DeviceName, InitiatingProcessId, RemoteIP, RemotePort, RemoteUrl
) on DeviceName, $left.ProcessId == $right.InitiatingProcessId
| where datetime_diff('second', NetTime, Timestamp) between (0 .. 5)
| project Timestamp, NetTime, DeviceName, AccountName, InitiatingProcessFileName, FileName, RemoteIP, RemotePort, RemoteUrl
| sort by Timestamp desc

high severity low confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

Legitimate software with TLS callbacks for license verification or telemetry on startup
Auto-update mechanisms that check for updates immediately on process start
Browser processes establishing connections to configured home pages immediately on launch
Cloud-connected applications that authenticate on startup

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\svchost.exe" OR Image="*\\rundll32.exe" OR Image="*\\regsvr32.exe" OR Image="*\\dllhost.exe")
  NOT (ParentImage="*\\services.exe" OR ParentImage="*\\svchost.exe" OR ParentImage="*\\winlogon.exe")
| rename ProcessId as TargetPID, Image as TargetProcess, ParentImage as ParentProcess
| join type=inner TargetPID host [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
  NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="192.168.*" OR DestinationIp="127.*")
| rename ProcessId as TargetPID]
| eval TimeDelta=abs(_time - relative_time(_time, "-5s"))
| table _time, host, User, ParentProcess, TargetProcess, DestinationIp, DestinationPort
| sort - _time

high severity low confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Sysmon Event ID 1 Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Software with legitimate TLS initialization callbacks
Auto-update checks on process startup
Browser launch with pre-configured pages
Cloud authentication on application startup

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5s
  [process where event.type == "start"
   and process.name in~ ("svchost.exe", "rundll32.exe", "regsvr32.exe", "dllhost.exe", "explorer.exe")
   and not process.parent.name in~ ("services.exe", "svchost.exe", "explorer.exe", "winlogon.exe")]
     by process.pid
  [network where event.type == "connection"
   and network.direction == "egress"
   and not cidrmatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "169.254.0.0/16")]
     by process.pid

high severity medium confidence

Data Sources

Elastic Endpoint Security (elastic-agent) Winlogbeat with Sysmon module Elastic Agent Integration: endpoint

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-*

False Positives

Legitimate software updaters that host logic inside rundll32.exe or svchost.exe and immediately phone home to update distribution servers on process creation (e.g., third-party AV update daemons spawned by task schedulers).
Enterprise DLP or endpoint agents that inject COM surrogate hosts (dllhost.exe) to scan clipboard or file content and upload metadata to cloud analysis endpoints within seconds of initialization.
Windows built-in components (e.g., Windows Search Indexer, BITS client) using svchost.exe that perform immediate external connectivity checks during non-standard boot or recovery sequences with unusual parent chains.

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
       sourceip AS HostIP,
       destinationip AS RemoteIP,
       LONG(destinationport) AS RemotePort,
       username AS Username,
       "Process Name" AS TargetProcess,
       "Parent Process Name" AS ParentProcess,
       QIDNAME(qid) AS EventName,
       logsourcename(deviceid) AS LogSource
FROM events
WHERE LOGSOURCETYPEID(devicetype) = 12
  AND QIDNAME(qid) ILIKE '%Network Connect%'
  AND ("Process Name" ILIKE '%\\svchost.exe'
       OR "Process Name" ILIKE '%\\rundll32.exe'
       OR "Process Name" ILIKE '%\\regsvr32.exe'
       OR "Process Name" ILIKE '%\\dllhost.exe'
       OR "Process Name" ILIKE '%\\explorer.exe')
  AND NOT ("Parent Process Name" ILIKE '%\\services.exe'
       OR "Parent Process Name" ILIKE '%\\svchost.exe'
       OR "Parent Process Name" ILIKE '%\\winlogon.exe')
  AND NOT INCIDR(destinationip, '10.0.0.0/8')
  AND NOT INCIDR(destinationip, '172.16.0.0/12')
  AND NOT INCIDR(destinationip, '192.168.0.0/16')
  AND NOT INCIDR(destinationip, '127.0.0.0/8')
  AND NOT INCIDR(destinationip, '169.254.0.0/16')
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
LIMIT 500

high severity medium confidence

Data Sources

IBM QRadar SIEM with Microsoft Sysmon DSM QRadar WinCollect Agent (Windows Event Log) QRadar Universal DSM with custom Sysmon mapping

Required Tables

events

False Positives

Windows services legitimately hosted in svchost.exe (e.g., DNS Client, BITS, Windows Update) that connect externally and are spawned during system recovery or WMI-triggered restarts with non-standard parent processes.
Software deployment frameworks (SCCM, PDQ Deploy, Ansible WinRM) that invoke rundll32.exe or regsvr32.exe to install components and immediately call back to orchestration servers for status reporting.
Security tools performing COM-based scanning that spawn dllhost.exe and immediately query cloud threat intelligence APIs — particularly when the parent is a non-standard monitoring agent rather than the expected svchost.exe.

Sumo Logic CSE

sql

_sourceCategory="windows/sysmon" EventID=3
| where !(DestinationIp matches "^10\\.|^172\\.(1[6-9]|2[0-9]|3[01])\\.|^192\\.168\\.|^127\\.|^169\\.254\\.")
| where Image matches "(?i).*\\\\(svchost|rundll32|regsvr32|dllhost|explorer)\\.exe$"
| where !(ParentImage matches "(?i).*\\\\(services|svchost|winlogon)\\.exe$")
| fields _time, ComputerName, User, Image, ParentImage, ProcessId, DestinationIp, DestinationPort, DestinationHostname
| lookup processStartTime from [_sourceCategory="windows/sysmon" EventID=1
  | where Image matches "(?i).*\\\\(svchost|rundll32|regsvr32|dllhost|explorer)\\.exe$"
  | where !(ParentImage matches "(?i).*\\\\(services|svchost|winlogon)\\.exe$")
  | fields ComputerName, ProcessId, _time as processStartTime] on ComputerName, ProcessId
| where isNull(processStartTime) OR abs(_time - processStartTime) <= 5000
| sort by _time desc

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM with Windows Collector Sumo Logic Installed Collector with Sysmon Event Log Source Sumo Logic OpenTelemetry Collector (Windows)

Required Tables

_sourceCategory=windows/sysmon

False Positives

Enterprise patch management agents using rundll32.exe as a shim that validate licensing or check for updates via HTTPS on first execution, particularly when spawned by scheduled task hosts rather than standard service parents.
Third-party EDR or DLP products that spawn dllhost.exe COM surrogates and immediately upload content fingerprints or behavioral telemetry to their cloud platforms within seconds of initialization.
Windows compatibility subsystem components that legitimately execute via explorer.exe wrappers and perform immediate network initialization (e.g., network share reconnection, cloud storage sync agents).

Google Chronicle / SecOps

yaral

rule tls_callback_process_immediate_public_network {
  meta:
    author = "Detection Engineering"
    description = "Detects potential TLS callback abuse: Windows host process spawned by unexpected parent makes outbound public network connection within 5 seconds of creation"
    technique = "T1055.005"
    tactic = "Defense Evasion, Privilege Escalation"
    severity = "HIGH"
    confidence = "MEDIUM"
    reference = "https://attack.mitre.org/techniques/T1055/005/"

  events:
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    $proc.target.process.file.full_path = /(?i)(svchost|rundll32|regsvr32|dllhost|explorer)\.exe$/
    not $proc.principal.process.file.full_path = /(?i)(services|svchost|explorer|winlogon)\.exe$/

    $net.metadata.event_type = "NETWORK_CONNECTION"
    $net.network.ip_protocol = "TCP"
    not $net.target.ip = "10.0.0.0/8"
    not $net.target.ip = "172.16.0.0/12"
    not $net.target.ip = "192.168.0.0/16"
    not $net.target.ip = "127.0.0.0/8"
    not $net.target.ip = "169.254.0.0/16"

    $proc.principal.hostname = $net.principal.hostname
    $proc.target.process.pid = $net.principal.process.pid

    $proc.metadata.event_timestamp.seconds <= $net.metadata.event_timestamp.seconds
    $net.metadata.event_timestamp.seconds <= $proc.metadata.event_timestamp.seconds + 5

  condition:
    $proc and $net
}

high severity medium confidence

Data Sources

Google Chronicle SIEM (Google SecOps) Chronicle Ingestion API with Sysmon UDM parser Google Chronicle with CrowdStrike or Carbon Black telemetry

Required Tables

UDM Events: PROCESS_LAUNCH, NETWORK_CONNECTION

False Positives

Windows telemetry and licensing services hosted in svchost.exe that connect to Microsoft endpoints immediately on creation when spawned during atypical boot sequences (e.g., WMI-triggered service restarts, recovery mode).
Legitimate enterprise software wrapping execution in regsvr32.exe for COM registration that immediately performs cloud-based license activation, particularly in environments with aggressive software deployment pipelines.
Security or observability agents that intentionally inject into system processes for behavioral monitoring and perform immediate cloud check-ins — such as CrowdStrike Falcon, Carbon Black, or SentinelOne sensor components.

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| FileName = /(?i)svchost\.exe|rundll32\.exe|regsvr32\.exe|dllhost\.exe|explorer\.exe/
| ParentBaseFileName != /(?i)services\.exe|svchost\.exe|winlogon\.exe/
| ProcessStartTime_decimal as procStart
| TargetProcessId_decimal as SuspectPID
| join(
    [#event_simpleName=NetworkConnectIP4
     | RemoteAddressIP4 != /^10\.|^172\.(1[6-9]|2[0-9]|3[01])\.|^192\.168\.|^127\.|^169\.254\./
     | ContextProcessId_decimal as SuspectPID
     | ContextTimeStamp_decimal as netTime],
    field=[aid, SuspectPID],
    include=[RemoteAddressIP4, RemotePort, netTime]
  )
| timeDeltaMs := netTime - procStart
| timeDeltaMs >= 0
| timeDeltaMs <= 5000
| select([ComputerName, UserName, ParentBaseFileName, FileName, RemoteAddressIP4, RemotePort, timeDeltaMs])
| sort(timeDeltaMs, order=asc)

high severity medium confidence

Data Sources

CrowdStrike Falcon EDR with Data Replicator (FDR) Humio / LogScale with Falcon telemetry ingestion CrowdStrike Falcon streaming API

Required Tables

ProcessRollup2 NetworkConnectIP4

False Positives

CrowdStrike Falcon sensor itself may generate this pattern when its process injection monitoring creates ProcessRollup2 events for child processes it instruments, followed immediately by sensor telemetry network upload events attributed to the same PID.
SCCM or Intune deployment agents that use rundll32.exe or regsvr32.exe as execution hosts for package deployment scripts and immediately report installation status to management infrastructure via HTTPS.
Windows credential roaming or profile sync services that spawn svchost.exe instances for roaming profile downloads and connect immediately to domain controllers or cloud identity providers in a non-standard parent chain during logon storms.

Thread Local Storage

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections