Detect Thread Local Storage in Elastic Security
Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. TLS callbacks are normally used by the OS to setup and/or cleanup data used by threads. Manipulating TLS callbacks may be performed by allocating and writing to specific offsets within a process' memory space using other Process Injection techniques such as Process Hollowing.
MITRE ATT&CK
- Technique
- T1055 Process Injection
- Sub-technique
- T1055.005 Thread Local Storage
- Canonical reference
- https://attack.mitre.org/techniques/T1055/005/
Elastic Detection Query
sequence by host.id with maxspan=5s
[process where event.type == "start"
and process.name in~ ("svchost.exe", "rundll32.exe", "regsvr32.exe", "dllhost.exe", "explorer.exe")
and not process.parent.name in~ ("services.exe", "svchost.exe", "explorer.exe", "winlogon.exe")]
by process.pid
[network where event.type == "connection"
and network.direction == "egress"
and not cidrmatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "169.254.0.0/16")]
by process.pidElastic EQL sequence detection correlating anomalous process creation from an unexpected parent with an outbound public network connection within 5 seconds on the same process ID. The tight time window targets TLS callback code executing before the PE main entry point, which triggers network beaconing before the host process would normally communicate.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software updaters that host logic inside rundll32.exe or svchost.exe and immediately phone home to update distribution servers on process creation (e.g., third-party AV update daemons spawned by task schedulers).
- Enterprise DLP or endpoint agents that inject COM surrogate hosts (dllhost.exe) to scan clipboard or file content and upload metadata to cloud analysis endpoints within seconds of initialization.
- Windows built-in components (e.g., Windows Search Indexer, BITS client) using svchost.exe that perform immediate external connectivity checks during non-standard boot or recovery sequences with unusual parent chains.
Other platforms for T1055.005
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PE with TLS Callback - Compile and Execute
Expected signal: Sysmon Event ID 1: PowerShell execution. In a real TLS callback binary: execution trace would show TLS callback function executing before the PE entry point. Debuggers (x64dbg, WinDbg) would show the TLS callback break before OEP.
- Test 2Ursnif-style TLS Callback Chain Analysis
Expected signal: Sysmon Event ID 1: PowerShell reading PE headers of notepad.exe. Sysmon Event ID 11: No file creation (read-only operation). This is a defensive analysis technique, not an attack.
- Test 3Process Hollowing with TLS Callback Redirection
Expected signal: Sysmon Event ID 1: notepad.exe spawned by PowerShell. When using full technique: Sysmon Event ID 10 (ProcessAccess) with PROCESS_VM_WRITE rights, followed by process resume and immediate malicious activity before expected notepad initialization.
References (4)
- https://attack.mitre.org/techniques/T1055/005/
- https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html
- https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.005/T1055.005.md
Unlock Pro Content
Get the full detection package for T1055.005 including response playbook, investigation guide, and atomic red team tests.