Detects thread local storage (TLS) callback injection by monitoring memory modifications to PE headers and TLS directory structures during or after process hollowing events, followed by anomalous thread behavior prior to main entry point execution.
| Data Component | Name | Channel |
|---|---|---|
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Process Modification (DC0020) | WinEventLog:Sysmon | EventCode=8 |
| OS API Execution (DC0021) | EDR:memory | MemoryWriteToExecutable |
| Field | Description |
|---|---|
| TargetProcessFilter | Subset of processes whose TLS callbacks should not change post-load (e.g., explorer.exe, lsass.exe) |
| TimeWindowBetweenLoadAndTLSModification | Acceptable delay between image load and memory tampering in .tls or .data sections |
| AnomalousThreadStartThreshold | Number of threads executing prior to main entry point that is considered suspicious |
| PayloadEntropyThreshold | Optional threshold to distinguish injected shellcode from benign memory writes |