T1055.005 Sumo Logic CSE · Sumo

Detect Thread Local Storage in Sumo Logic CSE

Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. TLS callbacks are normally used by the OS to setup and/or cleanup data used by threads. Manipulating TLS callbacks may be performed by allocating and writing to specific offsets within a process' memory space using other Process Injection techniques such as Process Hollowing.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1055 Process Injection
Sub-technique
T1055.005 Thread Local Storage
Canonical reference
https://attack.mitre.org/techniques/T1055/005/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory="windows/sysmon" EventID=3
| where !(DestinationIp matches "^10\\.|^172\\.(1[6-9]|2[0-9]|3[01])\\.|^192\\.168\\.|^127\\.|^169\\.254\\.")
| where Image matches "(?i).*\\\\(svchost|rundll32|regsvr32|dllhost|explorer)\\.exe$"
| where !(ParentImage matches "(?i).*\\\\(services|svchost|winlogon)\\.exe$")
| fields _time, ComputerName, User, Image, ParentImage, ProcessId, DestinationIp, DestinationPort, DestinationHostname
| lookup processStartTime from [_sourceCategory="windows/sysmon" EventID=1
  | where Image matches "(?i).*\\\\(svchost|rundll32|regsvr32|dllhost|explorer)\\.exe$"
  | where !(ParentImage matches "(?i).*\\\\(services|svchost|winlogon)\\.exe$")
  | fields ComputerName, ProcessId, _time as processStartTime] on ComputerName, ProcessId
| where isNull(processStartTime) OR abs(_time - processStartTime) <= 5000
| sort by _time desc
high severity medium confidence

Sumo Logic query detecting Sysmon EventID 3 network connections from Windows system host processes with anomalous parent chains making outbound public connections. A secondary lookup correlates against Sysmon EventID 1 process creation records to surface cases where the network activity occurs within 5 seconds of process start — the signature of TLS callback code running before the main entry point.

Data Sources

Sumo Logic Cloud SIEM with Windows CollectorSumo Logic Installed Collector with Sysmon Event Log SourceSumo Logic OpenTelemetry Collector (Windows)

Required Tables

_sourceCategory=windows/sysmon

False Positives & Tuning

  • Enterprise patch management agents using rundll32.exe as a shim that validate licensing or check for updates via HTTPS on first execution, particularly when spawned by scheduled task hosts rather than standard service parents.
  • Third-party EDR or DLP products that spawn dllhost.exe COM surrogates and immediately upload content fingerprints or behavioral telemetry to their cloud platforms within seconds of initialization.
  • Windows compatibility subsystem components that legitimately execute via explorer.exe wrappers and perform immediate network initialization (e.g., network share reconnection, cloud storage sync agents).
Download portable Sigma rule (.yml)

Other platforms for T1055.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PE with TLS Callback - Compile and Execute

    Expected signal: Sysmon Event ID 1: PowerShell execution. In a real TLS callback binary: execution trace would show TLS callback function executing before the PE entry point. Debuggers (x64dbg, WinDbg) would show the TLS callback break before OEP.

  2. Test 2Ursnif-style TLS Callback Chain Analysis

    Expected signal: Sysmon Event ID 1: PowerShell reading PE headers of notepad.exe. Sysmon Event ID 11: No file creation (read-only operation). This is a defensive analysis technique, not an attack.

  3. Test 3Process Hollowing with TLS Callback Redirection

    Expected signal: Sysmon Event ID 1: notepad.exe spawned by PowerShell. When using full technique: Sysmon Event ID 10 (ProcessAccess) with PROCESS_VM_WRITE rights, followed by process resume and immediate malicious activity before expected notepad initialization.

Last updated: 2026-04-16 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1055.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1055Process Injection

Related Sub-techniques

T1055.001Dynamic-link Library InjectionT1055.002Portable Executable InjectionT1055.003Thread Execution HijackingT1055.004Asynchronous Procedure CallT1055.008Ptrace System CallsT1055.009Proc MemoryT1055.011Extra Window Memory InjectionT1055.012Process HollowingT1055.013Process DoppelgangingT1055.014VDSO HijackingT1055.015ListPlanting

Related Techniques

T1055Process InjectionT1055.012Process HollowingT1055.003Thread Execution HijackingT1027Obfuscated Files or InformationT1106Native API

Same Tactic: Defense Evasion

Popular Detections