T1055.005: Thread Local Storage
Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process.
TLS callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. TLS callbacks are normally used by the OS to setup and/or cleanup data used by threads. Manipulating TLS callbacks may be performed by allocating and writing to specific offsets within a process’ memory space using other Process Injection techniques such as Process Hollowing.[1]
Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via TLS callback injection may also evade detection from security products since the execution is masked under a legitimate process.
Analyst context for executives and security teams
Thread Local Storage (TLS) callback injection is a Windows process-injection sub-technique where malicious code is made to run inside another process before the program’s normal entry point. For leaders, the business issue is that activity can appear to come from a legitimate process, weakening process-based controls and complicating incident triage around privilege escalation and stealth.
Executive priority
Prioritize this as an endpoint resilience and SOC visibility question: can the organization recognize abnormal process memory and PE manipulation on Windows systems, especially where elevated or business-critical processes are involved? Because ATT&CK provides no official detection text for this object, leaders should ask for evidence of endpoint behavior-prevention coverage, detection engineering validation, and incident-response playbooks for process injection rather than assuming existing malware signatures are sufficient.
Technical view
This is ATT&CK T1055.005, a Windows sub-technique of Process Injection associated with stealth and privilege escalation. Defenders should validate coverage for TLS callback-related PE memory modification, hollowing-like process injection chains, and execution masked under legitimate processes. The supplied relationship to DET0467 indicates a detection strategy exists for TLS callback injection via PE memory modification and hollowing; teams should map that strategy to their available Windows endpoint telemetry. Known ATT&CK software relationships include Ursnif and CANONSTAGER, so detections should be behavior-focused rather than tied only to a single family name.
Likely telemetry
- Windows endpoint process creation and parent/child process context
- Endpoint memory activity showing allocation, writing, or modification inside another live process
- PE/module metadata or image-load evidence relevant to TLS callback structures
- API-call or endpoint event telemetry used by behavior-prevention controls
- Signals of process hollowing or related process-injection behavior
Detection direction
- Confirm whether DET0467-style logic is implemented and whether it is backed by telemetry that can observe PE memory modification and hollowing-related behavior.
- Tune detections around suspicious modification of PE structures and TLS callback-related execution rather than relying only on process names or known-bad hashes.
- Correlate memory modification, process creation, image/module activity, and privilege context to reduce noise from legitimate software that uses TLS callbacks normally.
- Validate visibility on Windows endpoints where elevated processes, sensitive applications, or high-value users run, since injected code may inherit access to memory, network resources, or privileges.
- Document gaps explicitly because the ATT&CK object does not include official detection guidance.
Mitigation priorities
- Implement or validate M1040 Behavior Prevention on Endpoint for suspicious process behavior, API calls, file activity, and endpoint events.
- Prefer behavior-based prevention and monitoring over signature-only controls for process injection patterns.
- Prioritize coverage on Windows systems supporting privileged users, sensitive applications, and critical operations.
- Use incident-response exercises to confirm analysts can distinguish legitimate process behavior from suspicious PE memory modification and process injection.
- Feed confirmed local observations back into detection tuning and control validation evidence for audit and resilience reporting.
Analyst notes and limits
This object is a Windows sub-technique of Process Injection. The official description emphasizes stealth, potential privilege escalation, manipulation of PE TLS callback pointers, and possible use alongside techniques such as Process Hollowing. Relationships identify DET0467 as a relevant detection strategy, M1040 as mitigation, and Ursnif and CANONSTAGER as software using the behavior.
Official ATT&CK detection text is not provided, and the supplied fields do not include data components, specific event IDs, vendor detections, or guaranteed indicators. Local endpoint telemetry, EDR capability, and baselining are required to determine actual coverage and false-positive rates.
Thread Local Storage
Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process.
TLS callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. TLS callbacks are normally used by the OS to setup and/or cleanup data used by threads. Manipulating TLS callbacks may be performed by allocating and writing to specific offsets within a process’ memory space using other Process Injection techniques such as Process Hollowing.[1]
Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via TLS callback injection may also evade detection from security products since the execution is masked under a legitimate process.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1055 | Process Injection | This object subtechnique of Process Injection. |
Groups, software, and campaigns
S1237: CANONSTAGER
CANONSTAGER is a loader known to be leveraged by Mustang Panda and was first observed utilized in 2025. Mustang Panda utilizes DLL side-loading to execute within the victim environment prior to delivering a follow-on malicious encrypted payload. CANONSTAGER leverages Thread Local Storage (TLS) and Native Windows APIs within the victim environment to elude detections. CANONSTAGER also hides its code utilizing window procedures and message queues.[1]
S0386: Ursnif
Ursnif is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, Spearphishing Attachments, and malicious links.[1][2] Ursnif is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.[3]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | f0fac5f5e986… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye TLS Nov 2017
Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved December 18, 2017.
Open source URL -
[2]
mitre-attack T1055.005Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.