T1055.005 Thread Local Storage
Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process.
TLS callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code’s legitimate entry point. TLS callbacks are normally used by the OS to setup and/or cleanup data used by threads. Manipulating TLS callbacks may be performed by allocating and writing to specific offsets within a process’ memory space using other Process Injection techniques such as Process Hollowing.1
Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via TLS callback injection may also evade detection from security products since the execution is masked under a legitimate process.
Item | Value |
---|---|
ID | T1055.005 |
Sub-techniques | T1055.001, T1055.002, T1055.003, T1055.004, T1055.005, T1055.008, T1055.009, T1055.011, T1055.012, T1055.013, T1055.014, T1055.015 |
Tactics | TA0005, TA0004 |
Platforms | Windows |
Version | 1.1 |
Created | 14 January 2020 |
Last Modified | 18 October 2021 |
Procedure Examples
ID | Name | Description |
---|---|---|
S0386 | Ursnif | Ursnif has injected code into target processes via thread local storage callbacks.345 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1040 | Behavior Prevention on Endpoint | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0009 | Process | OS API Execution |
References
-
Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved December 18, 2017. ↩
-
Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017. ↩
-
Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019. ↩
-
Trend Micro. (2014, December 11). PE_URSNIF.A2. Retrieved June 5, 2019. ↩
-
Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved June 5, 2019. ↩