T1055.005 CrowdStrike LogScale · LogScale

Detect Thread Local Storage in CrowdStrike LogScale

Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. TLS callbacks are normally used by the OS to setup and/or cleanup data used by threads. Manipulating TLS callbacks may be performed by allocating and writing to specific offsets within a process' memory space using other Process Injection techniques such as Process Hollowing.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1055 Process Injection
Sub-technique
T1055.005 Thread Local Storage
Canonical reference
https://attack.mitre.org/techniques/T1055/005/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=ProcessRollup2
| FileName = /(?i)svchost\.exe|rundll32\.exe|regsvr32\.exe|dllhost\.exe|explorer\.exe/
| ParentBaseFileName != /(?i)services\.exe|svchost\.exe|winlogon\.exe/
| ProcessStartTime_decimal as procStart
| TargetProcessId_decimal as SuspectPID
| join(
    [#event_simpleName=NetworkConnectIP4
     | RemoteAddressIP4 != /^10\.|^172\.(1[6-9]|2[0-9]|3[01])\.|^192\.168\.|^127\.|^169\.254\./
     | ContextProcessId_decimal as SuspectPID
     | ContextTimeStamp_decimal as netTime],
    field=[aid, SuspectPID],
    include=[RemoteAddressIP4, RemotePort, netTime]
  )
| timeDeltaMs := netTime - procStart
| timeDeltaMs >= 0
| timeDeltaMs <= 5000
| select([ComputerName, UserName, ParentBaseFileName, FileName, RemoteAddressIP4, RemotePort, timeDeltaMs])
| sort(timeDeltaMs, order=asc)
high severity medium confidence

CrowdStrike LogScale (Humio) query joining ProcessRollup2 and NetworkConnectIP4 Falcon telemetry events by agent ID and process ID. Surfaces cases where Windows system host binaries spawned by unexpected parent processes establish outbound TCP connections to public IPs within 5 seconds of creation — matching the behavior of TLS callback shellcode that executes before the PE loader hands control to the main entry point.

Data Sources

CrowdStrike Falcon EDR with Data Replicator (FDR)Humio / LogScale with Falcon telemetry ingestionCrowdStrike Falcon streaming API

Required Tables

ProcessRollup2NetworkConnectIP4

False Positives & Tuning

  • CrowdStrike Falcon sensor itself may generate this pattern when its process injection monitoring creates ProcessRollup2 events for child processes it instruments, followed immediately by sensor telemetry network upload events attributed to the same PID.
  • SCCM or Intune deployment agents that use rundll32.exe or regsvr32.exe as execution hosts for package deployment scripts and immediately report installation status to management infrastructure via HTTPS.
  • Windows credential roaming or profile sync services that spawn svchost.exe instances for roaming profile downloads and connect immediately to domain controllers or cloud identity providers in a non-standard parent chain during logon storms.
Download portable Sigma rule (.yml)

Other platforms for T1055.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PE with TLS Callback - Compile and Execute

    Expected signal: Sysmon Event ID 1: PowerShell execution. In a real TLS callback binary: execution trace would show TLS callback function executing before the PE entry point. Debuggers (x64dbg, WinDbg) would show the TLS callback break before OEP.

  2. Test 2Ursnif-style TLS Callback Chain Analysis

    Expected signal: Sysmon Event ID 1: PowerShell reading PE headers of notepad.exe. Sysmon Event ID 11: No file creation (read-only operation). This is a defensive analysis technique, not an attack.

  3. Test 3Process Hollowing with TLS Callback Redirection

    Expected signal: Sysmon Event ID 1: notepad.exe spawned by PowerShell. When using full technique: Sysmon Event ID 10 (ProcessAccess) with PROCESS_VM_WRITE rights, followed by process resume and immediate malicious activity before expected notepad initialization.

Last updated: 2026-04-16 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1055.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1055Process Injection

Related Sub-techniques

T1055.001Dynamic-link Library InjectionT1055.002Portable Executable InjectionT1055.003Thread Execution HijackingT1055.004Asynchronous Procedure CallT1055.008Ptrace System CallsT1055.009Proc MemoryT1055.011Extra Window Memory InjectionT1055.012Process HollowingT1055.013Process DoppelgangingT1055.014VDSO HijackingT1055.015ListPlanting

Related Techniques

T1055Process InjectionT1055.012Process HollowingT1055.003Thread Execution HijackingT1027Obfuscated Files or InformationT1106Native API

Same Tactic: Defense Evasion

Popular Detections