T1055.005 IBM QRadar · QRadar

Detect Thread Local Storage in IBM QRadar

Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. TLS callbacks are normally used by the OS to setup and/or cleanup data used by threads. Manipulating TLS callbacks may be performed by allocating and writing to specific offsets within a process' memory space using other Process Injection techniques such as Process Hollowing.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1055 Process Injection
Sub-technique
T1055.005 Thread Local Storage
Canonical reference
https://attack.mitre.org/techniques/T1055/005/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
       sourceip AS HostIP,
       destinationip AS RemoteIP,
       LONG(destinationport) AS RemotePort,
       username AS Username,
       "Process Name" AS TargetProcess,
       "Parent Process Name" AS ParentProcess,
       QIDNAME(qid) AS EventName,
       logsourcename(deviceid) AS LogSource
FROM events
WHERE LOGSOURCETYPEID(devicetype) = 12
  AND QIDNAME(qid) ILIKE '%Network Connect%'
  AND ("Process Name" ILIKE '%\\svchost.exe'
       OR "Process Name" ILIKE '%\\rundll32.exe'
       OR "Process Name" ILIKE '%\\regsvr32.exe'
       OR "Process Name" ILIKE '%\\dllhost.exe'
       OR "Process Name" ILIKE '%\\explorer.exe')
  AND NOT ("Parent Process Name" ILIKE '%\\services.exe'
       OR "Parent Process Name" ILIKE '%\\svchost.exe'
       OR "Parent Process Name" ILIKE '%\\winlogon.exe')
  AND NOT INCIDR(destinationip, '10.0.0.0/8')
  AND NOT INCIDR(destinationip, '172.16.0.0/12')
  AND NOT INCIDR(destinationip, '192.168.0.0/16')
  AND NOT INCIDR(destinationip, '127.0.0.0/8')
  AND NOT INCIDR(destinationip, '169.254.0.0/16')
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
LIMIT 500
high severity medium confidence

QRadar AQL targeting Sysmon EventCode 3 (network connection) events via LOGSOURCETYPEID 12 (Windows Sysmon DSM) where suspicious Windows host processes with anomalous parent chains are observed connecting outbound to public IPs. The process-parent mismatch is a key TLS callback indicator; the network event serves as proof of payload execution prior to the main entry point. Full 5-second cross-event correlation should be implemented as a QRadar offense rule chaining Sysmon EventCode 1 and 3 offenses on matching Process IDs.

Data Sources

IBM QRadar SIEM with Microsoft Sysmon DSMQRadar WinCollect Agent (Windows Event Log)QRadar Universal DSM with custom Sysmon mapping

Required Tables

events

False Positives & Tuning

  • Windows services legitimately hosted in svchost.exe (e.g., DNS Client, BITS, Windows Update) that connect externally and are spawned during system recovery or WMI-triggered restarts with non-standard parent processes.
  • Software deployment frameworks (SCCM, PDQ Deploy, Ansible WinRM) that invoke rundll32.exe or regsvr32.exe to install components and immediately call back to orchestration servers for status reporting.
  • Security tools performing COM-based scanning that spawn dllhost.exe and immediately query cloud threat intelligence APIs — particularly when the parent is a non-standard monitoring agent rather than the expected svchost.exe.
Download portable Sigma rule (.yml)

Other platforms for T1055.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PE with TLS Callback - Compile and Execute

    Expected signal: Sysmon Event ID 1: PowerShell execution. In a real TLS callback binary: execution trace would show TLS callback function executing before the PE entry point. Debuggers (x64dbg, WinDbg) would show the TLS callback break before OEP.

  2. Test 2Ursnif-style TLS Callback Chain Analysis

    Expected signal: Sysmon Event ID 1: PowerShell reading PE headers of notepad.exe. Sysmon Event ID 11: No file creation (read-only operation). This is a defensive analysis technique, not an attack.

  3. Test 3Process Hollowing with TLS Callback Redirection

    Expected signal: Sysmon Event ID 1: notepad.exe spawned by PowerShell. When using full technique: Sysmon Event ID 10 (ProcessAccess) with PROCESS_VM_WRITE rights, followed by process resume and immediate malicious activity before expected notepad initialization.

Last updated: 2026-04-16 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1055.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1055Process Injection

Related Sub-techniques

T1055.001Dynamic-link Library InjectionT1055.002Portable Executable InjectionT1055.003Thread Execution HijackingT1055.004Asynchronous Procedure CallT1055.008Ptrace System CallsT1055.009Proc MemoryT1055.011Extra Window Memory InjectionT1055.012Process HollowingT1055.013Process DoppelgangingT1055.014VDSO HijackingT1055.015ListPlanting

Related Techniques

T1055Process InjectionT1055.012Process HollowingT1055.003Thread Execution HijackingT1027Obfuscated Files or InformationT1106Native API

Same Tactic: Defense Evasion

Popular Detections