T1055.005 Google Chronicle · YARA-L

Detect Thread Local Storage in Google Chronicle

Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. TLS callbacks are normally used by the OS to setup and/or cleanup data used by threads. Manipulating TLS callbacks may be performed by allocating and writing to specific offsets within a process' memory space using other Process Injection techniques such as Process Hollowing.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1055 Process Injection
Sub-technique
T1055.005 Thread Local Storage
Canonical reference
https://attack.mitre.org/techniques/T1055/005/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule tls_callback_process_immediate_public_network {
  meta:
    author = "Detection Engineering"
    description = "Detects potential TLS callback abuse: Windows host process spawned by unexpected parent makes outbound public network connection within 5 seconds of creation"
    technique = "T1055.005"
    tactic = "Defense Evasion, Privilege Escalation"
    severity = "HIGH"
    confidence = "MEDIUM"
    reference = "https://attack.mitre.org/techniques/T1055/005/"

  events:
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    $proc.target.process.file.full_path = /(?i)(svchost|rundll32|regsvr32|dllhost|explorer)\.exe$/
    not $proc.principal.process.file.full_path = /(?i)(services|svchost|explorer|winlogon)\.exe$/

    $net.metadata.event_type = "NETWORK_CONNECTION"
    $net.network.ip_protocol = "TCP"
    not $net.target.ip = "10.0.0.0/8"
    not $net.target.ip = "172.16.0.0/12"
    not $net.target.ip = "192.168.0.0/16"
    not $net.target.ip = "127.0.0.0/8"
    not $net.target.ip = "169.254.0.0/16"

    $proc.principal.hostname = $net.principal.hostname
    $proc.target.process.pid = $net.principal.process.pid

    $proc.metadata.event_timestamp.seconds <= $net.metadata.event_timestamp.seconds
    $net.metadata.event_timestamp.seconds <= $proc.metadata.event_timestamp.seconds + 5

  condition:
    $proc and $net
}
high severity medium confidence

Chronicle YARA-L 2.0 rule joining PROCESS_LAUNCH and NETWORK_CONNECTION UDM events by hostname and process PID within a 5-second window. Fires when a Windows system binary (svchost.exe, rundll32.exe, regsvr32.exe, dllhost.exe, explorer.exe) with an anomalous parent process immediately establishes a TCP connection to a public IP — the characteristic signature of TLS callback shellcode executing before the PE main entry point.

Data Sources

Google Chronicle SIEM (Google SecOps)Chronicle Ingestion API with Sysmon UDM parserGoogle Chronicle with CrowdStrike or Carbon Black telemetry

Required Tables

UDM Events: PROCESS_LAUNCH, NETWORK_CONNECTION

False Positives & Tuning

  • Windows telemetry and licensing services hosted in svchost.exe that connect to Microsoft endpoints immediately on creation when spawned during atypical boot sequences (e.g., WMI-triggered service restarts, recovery mode).
  • Legitimate enterprise software wrapping execution in regsvr32.exe for COM registration that immediately performs cloud-based license activation, particularly in environments with aggressive software deployment pipelines.
  • Security or observability agents that intentionally inject into system processes for behavioral monitoring and perform immediate cloud check-ins — such as CrowdStrike Falcon, Carbon Black, or SentinelOne sensor components.
Download portable Sigma rule (.yml)

Other platforms for T1055.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PE with TLS Callback - Compile and Execute

    Expected signal: Sysmon Event ID 1: PowerShell execution. In a real TLS callback binary: execution trace would show TLS callback function executing before the PE entry point. Debuggers (x64dbg, WinDbg) would show the TLS callback break before OEP.

  2. Test 2Ursnif-style TLS Callback Chain Analysis

    Expected signal: Sysmon Event ID 1: PowerShell reading PE headers of notepad.exe. Sysmon Event ID 11: No file creation (read-only operation). This is a defensive analysis technique, not an attack.

  3. Test 3Process Hollowing with TLS Callback Redirection

    Expected signal: Sysmon Event ID 1: notepad.exe spawned by PowerShell. When using full technique: Sysmon Event ID 10 (ProcessAccess) with PROCESS_VM_WRITE rights, followed by process resume and immediate malicious activity before expected notepad initialization.

Last updated: 2026-04-16 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1055.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1055Process Injection

Related Sub-techniques

T1055.001Dynamic-link Library InjectionT1055.002Portable Executable InjectionT1055.003Thread Execution HijackingT1055.004Asynchronous Procedure CallT1055.008Ptrace System CallsT1055.009Proc MemoryT1055.011Extra Window Memory InjectionT1055.012Process HollowingT1055.013Process DoppelgangingT1055.014VDSO HijackingT1055.015ListPlanting

Related Techniques

T1055Process InjectionT1055.012Process HollowingT1055.003Thread Execution HijackingT1027Obfuscated Files or InformationT1106Native API

Same Tactic: Defense Evasion

Popular Detections