Detect Thread Local Storage in Splunk
Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. TLS callbacks are normally used by the OS to setup and/or cleanup data used by threads. Manipulating TLS callbacks may be performed by allocating and writing to specific offsets within a process' memory space using other Process Injection techniques such as Process Hollowing.
MITRE ATT&CK
- Technique
- T1055 Process Injection
- Sub-technique
- T1055.005 Thread Local Storage
- Canonical reference
- https://attack.mitre.org/techniques/T1055/005/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\svchost.exe" OR Image="*\\rundll32.exe" OR Image="*\\regsvr32.exe" OR Image="*\\dllhost.exe")
NOT (ParentImage="*\\services.exe" OR ParentImage="*\\svchost.exe" OR ParentImage="*\\winlogon.exe")
| rename ProcessId as TargetPID, Image as TargetProcess, ParentImage as ParentProcess
| join type=inner TargetPID host [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="192.168.*" OR DestinationIp="127.*")
| rename ProcessId as TargetPID]
| eval TimeDelta=abs(_time - relative_time(_time, "-5s"))
| table _time, host, User, ParentProcess, TargetProcess, DestinationIp, DestinationPort
| sort - _timeDetects potential TLS callback injection by correlating Sysmon Event ID 1 (Process Create) for system processes spawned by unusual parents with Sysmon Event ID 3 (Network Connection) showing immediate outbound connections to public IPs. The rapid connection after creation suggests code executed via TLS callback before normal entry point execution.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Software with legitimate TLS initialization callbacks
- Auto-update checks on process startup
- Browser launch with pre-configured pages
- Cloud authentication on application startup
Other platforms for T1055.005
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PE with TLS Callback - Compile and Execute
Expected signal: Sysmon Event ID 1: PowerShell execution. In a real TLS callback binary: execution trace would show TLS callback function executing before the PE entry point. Debuggers (x64dbg, WinDbg) would show the TLS callback break before OEP.
- Test 2Ursnif-style TLS Callback Chain Analysis
Expected signal: Sysmon Event ID 1: PowerShell reading PE headers of notepad.exe. Sysmon Event ID 11: No file creation (read-only operation). This is a defensive analysis technique, not an attack.
- Test 3Process Hollowing with TLS Callback Redirection
Expected signal: Sysmon Event ID 1: notepad.exe spawned by PowerShell. When using full technique: Sysmon Event ID 10 (ProcessAccess) with PROCESS_VM_WRITE rights, followed by process resume and immediate malicious activity before expected notepad initialization.
References (4)
- https://attack.mitre.org/techniques/T1055/005/
- https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html
- https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.005/T1055.005.md
Unlock Pro Content
Get the full detection package for T1055.005 including response playbook, investigation guide, and atomic red team tests.