T1055.005 Thread Local Storage
Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process.
TLS callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code’s legitimate entry point. TLS callbacks are normally used by the OS to setup and/or cleanup data used by threads. Manipulating TLS callbacks may be performed by allocating and writing to specific offsets within a process’ memory space using other Process Injection techniques such as Process Hollowing.1
Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via TLS callback injection may also evade detection from security products since the execution is masked under a legitimate process.
|Sub-techniques||T1055.001, T1055.002, T1055.003, T1055.004, T1055.005, T1055.008, T1055.009, T1055.011, T1055.012, T1055.013, T1055.014, T1055.015|
|Created||14 January 2020|
|Last Modified||18 October 2021|
|S0386||Ursnif||Ursnif has injected code into target processes via thread local storage callbacks.345|
|M1040||Behavior Prevention on Endpoint||Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.|
|ID||Data Source||Data Component|
|DS0009||Process||OS API Execution|
Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved December 18, 2017. ↩
Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017. ↩
Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019. ↩
Trend Micro. (2014, December 11). PE_URSNIF.A2. Retrieved June 5, 2019. ↩
Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved June 5, 2019. ↩