AN1289: Analytic 1289

Detects thread local storage (TLS) callback injection by monitoring memory modifications to PE headers and TLS directory structures during or after process hollowing events, followed by anomalous thread behavior prior to main entry point execution.

EnterpriseAN1289AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

AN1289 is a Windows detection analytic focused on a stealthy execution-evasion pattern: manipulation of Portable Executable (PE) thread local storage (TLS) callback structures during or after process hollowing, with suspicious thread behavior before the program’s normal entry point runs. For leaders, the decision value is whether the SOC can see memory-level process manipulation, not just file, command-line, or network activity. This matters because attacks that execute before normal application startup can bypass simpler monitoring assumptions and complicate incident scoping.

Executive priority

Prioritize this analytic where Windows endpoint resilience, incident response readiness, and evidence quality are important. The key business question is whether endpoint telemetry and SOC workflows can prove or disprove in-memory tampering associated with process hollowing. If coverage depends only on process creation logs or antivirus alerts, this behavior may create a visibility gap that affects containment confidence, forensic reconstruction, and audit evidence for advanced endpoint monitoring.

Technical view

Validate detection capability on Windows for memory modifications to PE headers and TLS directory structures during or after process hollowing events, followed by anomalous thread behavior before main entry point execution. Because the ATT&CK object does not provide a formal detection implementation, teams should treat AN1289 as detection logic guidance rather than a deployable rule. Detection engineering should correlate process hollowing indicators, memory-write activity against PE header or TLS metadata regions, and thread execution sequencing that occurs prior to normal entry point execution.

Likely telemetry

Windows endpoint detection and response telemetry
Process creation and parent-child process context
Process hollowing or process image replacement indicators
Memory modification events affecting PE headers
Memory modification events affecting TLS directory structures

Detection direction

Confirm whether endpoint tooling can observe memory modifications to PE headers and TLS directory structures, not only file writes or process starts.
Correlate TLS-related memory changes with process hollowing context to reduce noise from legitimate loaders, debuggers, packers, or security tools.
Tune for anomalous thread behavior before main entry point execution, while validating how normal software initialization appears in the local environment.
Use parent process, signed image reputation, command-line context, and process lineage as supporting evidence, not as substitutes for the memory and thread behaviors described by the analytic.
Document visibility gaps where EDR, logging policy, or performance settings do not expose memory-region changes or thread start behavior.

Mitigation priorities

Prioritize endpoint controls and monitoring capable of detecting in-memory process manipulation on Windows systems.
Harden incident response playbooks to preserve process memory and thread context when process hollowing or pre-entry-point execution behavior is suspected.
Apply least privilege and application control where feasible to reduce opportunities for unauthorized process manipulation, while recognizing this analytic itself is detection-focused.
Validate that SOC escalation criteria distinguish high-fidelity memory manipulation from benign software protection, debugging, or instrumentation activity.
Use findings from this analytic to inform endpoint logging requirements, detection engineering backlog, and compliance evidence for advanced threat monitoring.

Analyst notes and limits

The supplied object is a detection analytic, not a technique object, and no tactics or relationship context were supplied. The official description is specific to Windows, PE header/TLS directory memory modification, process hollowing context, and anomalous thread behavior before main entry point execution. Local validation is required because legitimate software may perform unusual loading or instrumentation behavior that resembles parts of this pattern.

Official detection content is not provided, and no related ATT&CK techniques, mitigations, data sources, adversary groups, malware, or campaigns were supplied. This take therefore avoids claims about prevalence, attribution, active exploitation, or guaranteed detection coverage. Implementation details depend on the organization’s endpoint telemetry depth and forensic collection capability.

Official MITRE ATT&CK definition

Analytic 1289

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 70d39d3ac11e4ee8...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`70d39d3ac11e…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1289
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use