MITRE ATT&CK Technique
Defense Evasion T1055.005
Description

Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process. TLS callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. TLS callbacks are normally used by the OS to setup and/or cleanup data used by threads. Manipulating TLS callbacks may be performed by allocating and writing to specific offsets within a process’ memory space using other [Process Injection](https://attack.mitre.org/techniques/T1055) techniques such as [Process Hollowing](https://attack.mitre.org/techniques/T1055/012).(Citation: FireEye TLS Nov 2017) Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via TLS callback injection may also evade detection from security products since the execution is masked under a legitimate process.

Supported Platforms
Windows
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2020-01-14T01:30:41.092Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may inject malicious code into processes via '
                'thread local storage (TLS) callbacks in order to evade '
                'process-based defenses as well as possibly elevate '
                'privileges. TLS callback injection is a method of executing '
                'arbitrary code in the address space of a separate live '
                'process. \n'
                '\n'
                'TLS callback injection involves manipulating pointers inside '
                'a portable executable (PE) to redirect a process to malicious '
                "code before reaching the code's legitimate entry point. TLS "
                'callbacks are normally used by the OS to setup and/or cleanup '
                'data used by threads. Manipulating TLS callbacks may be '
                'performed by allocating and writing to specific offsets '
                'within a process’ memory space using other [Process '
                'Injection](https://attack.mitre.org/techniques/T1055) '
                'techniques such as [Process '
                'Hollowing](https://attack.mitre.org/techniques/T1055/012).(Citation: '
                'FireEye TLS Nov 2017)\n'
                '\n'
                'Running code in the context of another process may allow '
                "access to the process's memory, system/network resources, and "
                'possibly elevated privileges. Execution via TLS callback '
                'injection may also evade detection from security products '
                'since the execution is masked under a legitimate process. ',
 'external_references': [{'external_id': 'T1055.005',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1055/005'},
                         {'description': 'Hosseini, A. (2017, July 18). Ten '
                                         'Process Injection Techniques: A '
                                         'Technical Survey Of Common And '
                                         'Trending Process Injection '
                                         'Techniques. Retrieved December 7, '
                                         '2017.',
                          'source_name': 'Elastic Process Injection July 2017',
                          'url': 'https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process'},
                         {'description': 'Vaish, A. & Nemes, S. (2017, '
                                         'November 28). Newly Observed Ursnif '
                                         'Variant Employs Malicious TLS '
                                         'Callback Technique to Achieve '
                                         'Process Injection. Retrieved '
                                         'December 18, 2017.',
                          'source_name': 'FireEye TLS Nov 2017',
                          'url': 'https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html'}],
 'id': 'attack-pattern--e49ee9d2-0d98-44ef-85e5-5d3100065744',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'defense-evasion'},
                       {'kill_chain_name': 'mitre-attack',
                        'phase_name': 'privilege-escalation'}],
 'modified': '2025-10-24T17:49:32.111Z',
 'name': 'Thread Local Storage',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': True,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Windows'],
 'x_mitre_version': '1.2'}
Quick Actions
Edit TTP Update from Web
Back to TTPs
Dashboard About