Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0467: Detection Strategy for TLS Callback Injection via PE Memory Modification and Hollowing

DET0467 is a MITRE detection strategy entry for identifying TLS callback injection involving PE memory modification and hollowing. Its business significanc...

EnterpriseDET0467Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0467 is a MITRE detection strategy entry for identifying TLS callback injection involving PE memory modification and hollowing. Its business significance is that this behavior is associated with stealthy code execution inside Windows processes, which can undermine process-based controls and complicate incident scoping. Because MITRE provides no official detection text for this object, teams should treat it as a prompt to validate whether their endpoint and SOC telemetry can expose this class of process injection rather than assuming coverage exists.

Executive priority

Prioritize this as a resilience and detection-assurance issue for Windows environments where process injection would materially affect incident response, privileged access protection, or audit confidence. Leaders should ask whether endpoint monitoring can show memory tampering and suspicious execution context, whether analysts have playbooks for injection-style findings, and whether control evidence is strong enough to support compliance and incident decision-making.

Technical view

The supplied relationship says this strategy detects ATT&CK T1055.005, Thread Local Storage, under stealth and privilege-escalation, on Windows. Detection engineering should therefore focus on validating visibility into anomalous PE memory changes, TLS callback-related execution before a legitimate entry point, and hollowing-like process behavior. Because the ATT&CK object has no official detection logic, platforms, or detection text, local engineering must define and test analytics using available endpoint telemetry and known-good software baselines.

Likely telemetry

  • Windows endpoint process creation and parent/child process context
  • Image load and module metadata where available
  • Process memory allocation, write, and protection-change events
  • Thread creation or execution-start context, especially cross-process where collected
  • EDR alerts or raw telemetry describing process injection, memory tampering, or process hollowing

Detection direction

  • Confirm that endpoint tooling can observe memory modification and execution-context changes, not only process start events.
  • Correlate suspicious process behavior with PE/module metadata and process lineage to reduce false positives from legitimate software protection, debugging, or instrumentation tools.
  • Use the relationship to T1055.005 to tune for stealth and privilege-escalation use cases on Windows, while avoiding claims that the detection strategy itself specifies a platform.
  • Validate alert triage steps for hollowing-like behavior and TLS callback anomalies without relying solely on signature names.
  • Document blind spots where EDR telemetry is unavailable, memory events are not retained, or analysts cannot access live-response artifacts.

Mitigation priorities

  • Establish endpoint visibility and retention requirements for process, module, memory, and thread-related telemetry.
  • Harden privileged Windows systems first, since the related technique is associated with privilege escalation and stealth.
  • Use least privilege and application control concepts to reduce opportunities for untrusted code execution where feasible.
  • Create incident response procedures for suspected process injection, including preservation of process, memory, and executable metadata.
  • Review detection performance against known-good administrative, security, and development tools to control false positives before operational rollout.
Analyst notes and limits

This take is based on the DET0467 name and its supplied relationship to T1055.005 Thread Local Storage. MITRE did not provide an official description or detection text for the detection strategy in the supplied fields, so recommendations are framed as validation priorities rather than definitive analytics.

No active exploitation, attribution, specific detection logic, data source list, or guaranteed platform coverage is provided for DET0467. The related ATT&CK technique identifies Windows, but the detection strategy itself lists platforms and tactics as not specified. Local environment testing is required to determine actual coverage.

Official MITRE ATT&CK definition

Detection Strategy for TLS Callback Injection via PE Memory Modification and Hollowing

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1055.005 Thread Local Storage Sub-technique This object detects Thread Local Storage.
Relationship explorer

All related ATT&CK context

detects · Technique T1055.005: Thread Local Storage Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
f7aed1009182aab3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle f7aed1009182…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0467
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use