T1055.005 Microsoft Sentinel · KQL

Detect Thread Local Storage in Microsoft Sentinel

Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. TLS callbacks are normally used by the OS to setup and/or cleanup data used by threads. Manipulating TLS callbacks may be performed by allocating and writing to specific offsets within a process' memory space using other Process Injection techniques such as Process Hollowing.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1055 Process Injection
Sub-technique
T1055.005 Thread Local Storage
Canonical reference
https://attack.mitre.org/techniques/T1055/005/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// Detect TLS callback abuse indicators
// TLS callbacks execute before the main entry point - look for suspicious process behavior
// immediately after creation (network connections, file writes before expected initialization)
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("svchost.exe", "rundll32.exe", "regsvr32.exe", "dllhost.exe", "explorer.exe")
| where InitiatingProcessFileName !in~ ("services.exe", "svchost.exe", "explorer.exe", "winlogon.exe")
| join kind=inner (
    DeviceNetworkEvents
    | where Timestamp > ago(24h)
    | where RemoteIPType == "Public"
    | project NetTime=Timestamp, DeviceName, InitiatingProcessId, RemoteIP, RemotePort, RemoteUrl
) on DeviceName, $left.ProcessId == $right.InitiatingProcessId
| where datetime_diff('second', NetTime, Timestamp) between (0 .. 5)
| project Timestamp, NetTime, DeviceName, AccountName, InitiatingProcessFileName, FileName, RemoteIP, RemotePort, RemoteUrl
| sort by Timestamp desc
high severity low confidence

Detects potential TLS callback injection by identifying system processes that establish outbound network connections within seconds of creation — indicating code execution before the expected initialization sequence. TLS callbacks execute before the entry point, so malicious callbacks often perform C2 communication before the legitimate process has time to initialize normally. This is a behavioral detection since TLS callbacks themselves are not directly logged by standard telemetry.

Data Sources

Process: Process CreationNetwork Traffic: Network Connection CreationMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEventsDeviceNetworkEvents

False Positives & Tuning

  • Legitimate software with TLS callbacks for license verification or telemetry on startup
  • Auto-update mechanisms that check for updates immediately on process start
  • Browser processes establishing connections to configured home pages immediately on launch
  • Cloud-connected applications that authenticate on startup
Download portable Sigma rule (.yml)

Other platforms for T1055.005

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PE with TLS Callback - Compile and Execute

    Expected signal: Sysmon Event ID 1: PowerShell execution. In a real TLS callback binary: execution trace would show TLS callback function executing before the PE entry point. Debuggers (x64dbg, WinDbg) would show the TLS callback break before OEP.

  2. Test 2Ursnif-style TLS Callback Chain Analysis

    Expected signal: Sysmon Event ID 1: PowerShell reading PE headers of notepad.exe. Sysmon Event ID 11: No file creation (read-only operation). This is a defensive analysis technique, not an attack.

  3. Test 3Process Hollowing with TLS Callback Redirection

    Expected signal: Sysmon Event ID 1: notepad.exe spawned by PowerShell. When using full technique: Sysmon Event ID 10 (ProcessAccess) with PROCESS_VM_WRITE rights, followed by process resume and immediate malicious activity before expected notepad initialization.

Last updated: 2026-04-16 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1055.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1055Process Injection

Related Sub-techniques

T1055.001Dynamic-link Library InjectionT1055.002Portable Executable InjectionT1055.003Thread Execution HijackingT1055.004Asynchronous Procedure CallT1055.008Ptrace System CallsT1055.009Proc MemoryT1055.011Extra Window Memory InjectionT1055.012Process HollowingT1055.013Process DoppelgangingT1055.014VDSO HijackingT1055.015ListPlanting

Related Techniques

T1055Process InjectionT1055.012Process HollowingT1055.003Thread Execution HijackingT1027Obfuscated Files or InformationT1106Native API

Same Tactic: Defense Evasion

Popular Detections