Description
Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process.
TLS callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. TLS callbacks are normally used by the OS to setup and/or cleanup data used by threads. Manipulating TLS callbacks may be performed by allocating and writing to specific offsets within a process’ memory space using other Process Injection techniques such as Process Hollowing.(Citation: FireEye TLS Nov 2017)
Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via TLS callback injection may also evade detection from security products since the execution is masked under a legitimate process.
Platforms
Mitigations (1)
Behavior Prevention on EndpointM1040
Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.
Associated Software (2)
| ID | Name | Type | Context |
|---|---|---|---|
| S1237 | CANONSTAGER | Malware | [CANONSTAGER](https://attack.mitre.org/software/S1237) uses the Thread Local Storage (TLS) array data structure to store function addresses resolved b... |
| S0386 | Ursnif | Malware | [Ursnif](https://attack.mitre.org/software/S0386) has injected code into target processes via thread local storage callbacks.(Citation: TrendMicro Urs... |
Related CWE Weaknesses
References
Frequently Asked Questions
What is T1055.005 (Thread Local Storage)?
T1055.005 is a MITRE ATT&CK technique named 'Thread Local Storage'. It belongs to the Stealth, Privilege Escalation tactic(s). Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is...
How can T1055.005 be detected?
Detection of T1055.005 (Thread Local Storage) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1055.005?
There are 1 documented mitigations for T1055.005. Key mitigations include: Behavior Prevention on Endpoint.
Which threat groups use T1055.005?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.