Skip to content

T1055.005 Thread Local Storage

Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process.

TLS callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code’s legitimate entry point. TLS callbacks are normally used by the OS to setup and/or cleanup data used by threads. Manipulating TLS callbacks may be performed by allocating and writing to specific offsets within a process’ memory space using other Process Injection techniques such as Process Hollowing.1

Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via TLS callback injection may also evade detection from security products since the execution is masked under a legitimate process.

Item Value
ID T1055.005
Sub-techniques T1055.001, T1055.002, T1055.003, T1055.004, T1055.005, T1055.008, T1055.009, T1055.011, T1055.012, T1055.013, T1055.014, T1055.015
Tactics TA0005, TA0004
Platforms Windows
Version 1.1
Created 14 January 2020
Last Modified 18 October 2021

Procedure Examples

ID Name Description
S0386 Ursnif Ursnif has injected code into target processes via thread local storage callbacks.345

Mitigations

ID Mitigation Description
M1040 Behavior Prevention on Endpoint Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.

Detection

ID Data Source Data Component
DS0009 Process OS API Execution

References