title: Thread Local Storage (T1055.005)
id: df00tech-t1055-005
status: experimental
description: "Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. TLS callbacks are normally used by the OS to setup and/or cleanup data used by threads. Manipulating TLS callbacks may be performed by allocating and writing to specific offsets within a process' memory space using other Process Injection techniques such as Process Hollowing."
references:
  - https://attack.mitre.org/techniques/T1055/005/
  - https://df00tech.com/detections/T1055.005
author: df00tech
date: 2026/04/16
tags:
  - attack.t1055.005
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate software with TLS callbacks for license verification or telemetry on startup
  - Auto-update mechanisms that check for updates immediately on process start
  - Browser processes establishing connections to configured home pages immediately on launch
  - Cloud-connected applications that authenticate on startup
level: high