Thread Local Storage

Information

• Name: Thread Local Storage

• ID: T1055.005

• Tactics: TA0005, TA0004

• Technique: T1055

Introduction

Thread Local Storage (TLS) manipulation, identified as sub-technique T1055.005 within the MITRE ATT&CK framework, refers to adversaries leveraging the thread-local storage mechanism within processes to execute malicious payloads or hide malicious code. Thread Local Storage is a legitimate feature provided by operating systems, allowing each thread within a process to store and access data unique to that thread. Attackers exploit this legitimate functionality to evade detection, persist within compromised systems, and execute malicious code without raising suspicion.

Deep Dive Into Technique

Thread Local Storage (TLS) is a mechanism provided by operating systems to store data unique to each thread within a process. Each thread has its own TLS area, enabling threads to store and access data independently without interfering with each other.

Attackers leverage TLS manipulation primarily to achieve stealthy code execution and persistence. Technical methods and mechanisms include:

• TLS Callbacks Injection:

  • TLS callbacks are functions defined within a PE (Portable Executable) file that execute before the program’s entry point, allowing initialization tasks.

  • Attackers insert malicious code into these callbacks, causing the code to execute before standard detection points (such as antivirus scanning or debugging).

  • Often used to bypass sandbox analysis or evade debugging tools.

• Malicious Code Storage in TLS Sections:

  • Attackers may store shellcode or payloads directly in the TLS data sections.

  • This technique helps evade traditional static analysis tools, as TLS sections are less commonly inspected by security tools.

• Dynamic TLS Allocation and Manipulation:

  • Attackers dynamically allocate TLS slots at runtime to store pointers or malicious payloads, making detection and analysis difficult.

  • Dynamic allocation allows attackers to avoid static analysis and evade detection by security software that does not monitor TLS allocations.

Real-world procedures typically involve:

• Modifying PE files to insert malicious TLS callbacks.

• Injecting shellcode into TLS data sections.

• Dynamically allocating and manipulating TLS entries at runtime to execute hidden payloads.

When this Technique is Usually Used

Attack scenarios and stages where TLS manipulation commonly appears include:

• Initial Access and Execution:

  • Attackers may embed malicious TLS callbacks into executables delivered via phishing emails, malicious downloads, or compromised software updates.

  • Ensures execution of malicious payloads before standard security checks or sandbox analysis.

• Defense Evasion:

  • TLS manipulation is primarily used to evade antivirus software, endpoint detection and response (EDR) tools, and sandbox analysis.

  • Attackers execute code from less-monitored regions of memory, avoiding detection.

• Persistence:

  • Attackers use TLS callbacks to ensure persistent execution of malicious payloads at every startup or thread initialization.

  • Malicious code stored in TLS sections can persist undetected across system reboots and restarts.

• Privilege Escalation and Lateral Movement:

  • TLS manipulation may be part of a broader attack chain, helping attackers maintain stealth and evade detection while escalating privileges or moving laterally through networks.

How this Technique is Usually Detected

Detection methods, tools, and indicators of compromise (IoCs) include:

• Behavioral Monitoring and Analysis:

  • Monitor processes for unusual execution patterns, such as code execution before the standard entry point.

  • Detect processes executing code from TLS sections or callbacks.

• Memory and Code Injection Detection Tools:

  • Endpoint Detection and Response (EDR) solutions (such as CrowdStrike Falcon, Carbon Black, Microsoft Defender ATP) monitor memory allocations and suspicious thread behaviors.

  • Specialized tools such as Sysmon can detect unusual thread creations and TLS callbacks execution.

• Static Analysis and Binary Inspection:

  • Tools like PEStudio, PE-sieve, and CFF Explorer can inspect PE files for suspicious TLS callbacks or unusual TLS data sections.

  • Analysts can identify malicious TLS callbacks by examining PE headers and TLS directories.

• Indicators of Compromise (IoCs):

  • Unusual or newly added TLS callbacks in legitimate executables.

  • Executables with TLS sections containing suspicious data or shellcode.

  • Unexpected or suspicious memory allocations related to TLS.

Why it is Important to Detect This Technique

Detecting TLS manipulation is critical due to its potential severe impacts on systems and networks:

• Stealthy Persistence:

  • Attackers leveraging TLS manipulation can maintain persistent access to compromised systems without detection, allowing prolonged data exfiltration or espionage activities.

• Bypassing Traditional Security Controls:

  • TLS manipulation enables attackers to evade antivirus, sandbox analysis, and standard detection mechanisms, significantly increasing the difficulty of detection and remediation.

• Facilitating Advanced Threats:

  • This technique is commonly employed by sophisticated threat actors and Advanced Persistent Threat (APT) groups, enabling long-term infiltration and strategic compromise of high-value targets.

• High Risk of Data Exfiltration and Damage:

  • Undetected TLS manipulation can lead to prolonged unauthorized access, facilitating theft of sensitive data, intellectual property, or credentials.

  • Increased risk of ransomware deployment, espionage, or sabotage.

Early detection and mitigation of TLS manipulation help organizations prevent these serious consequences, minimize damage, and strengthen overall cybersecurity posture.

Examples

Real-world examples showcasing TLS manipulation include:

• TrickBot Malware:

  • TrickBot banking Trojan has been observed leveraging TLS callbacks to execute malicious code before the program’s entry point.

  • Attackers inserted malicious TLS callbacks into PE files, enabling TrickBot to evade antivirus and sandbox analysis.

  • Impact: Persistent infection, credential theft, and financial fraud.

• Ursnif (Gozi) Malware:

  • Ursnif malware variants have utilized TLS callbacks to execute code stealthily and evade detection by endpoint security solutions.

  • Attackers inserted malicious payloads into TLS sections, ensuring stealthy execution and persistence.

  • Impact: Credential harvesting, financial fraud, and espionage.

• APT29 (Cozy Bear):

  • APT29 has utilized TLS callbacks as part of their sophisticated malware toolsets to execute malicious payloads stealthily.

  • Attackers used TLS manipulation to evade detection by endpoint security tools and analysts.

  • Impact: Long-term espionage campaigns, sensitive information theft, and strategic compromise of government and private sector targets.

These examples illustrate how threat actors across varying sophistication levels leverage TLS manipulation to bypass security controls, achieve stealthy persistence, and conduct long-term cyber espionage and financial fraud operations.