DET0467 Detection Strategy for TLS Callback Injection via PE Memory Modification and Hollowing

Item	Value
ID	DET0467
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1055.005 (Thread Local Storage)

Analytics

Windows

AN1289

Detects thread local storage (TLS) callback injection by monitoring memory modifications to PE headers and TLS directory structures during or after process hollowing events, followed by anomalous thread behavior prior to main entry point execution.

Log Sources

Data Component	Name	Channel
Module Load (DC0016)	WinEventLog:Sysmon	EventCode=7
Process Access (DC0035)	WinEventLog:Sysmon	EventCode=10
Process Modification (DC0020)	WinEventLog:Sysmon	EventCode=8
OS API Execution (DC0021)	EDR:memory	MemoryWriteToExecutable

Mutable Elements

Field	Description
TargetProcessFilter	Subset of processes whose TLS callbacks should not change post-load (e.g., explorer.exe, lsass.exe)
TimeWindowBetweenLoadAndTLSModification	Acceptable delay between image load and memory tampering in .tls or .data sections
AnomalousThreadStartThreshold	Number of threads executing prior to main entry point that is considered suspicious
PayloadEntropyThreshold	Optional threshold to distinguish injected shellcode from benign memory writes