Process Injection: Thread Local Storage

Other sub-techniques of Process Injection (12)

ID	Name
ATAGS-T1084.001	Asynchronous Procedure Call
ATAGS-T1084.002	Dynamic-link Library Injection
ATAGS-T1084.003	Extra Window Memory Injection
ATAGS-T1084.004	ListPlanting
ATAGS-T1084.005	Portable Executable Injection
ATAGS-T1084.006	Proc Memory
ATAGS-T1084.007	Process Doppelgänging
ATAGS-T1084.008	Process Hollowing
ATAGS-T1084.009	Ptrace System Calls
ATAGS-T1084.010	Thread Execution Hijacking
ATAGS-T1084.011	Thread Local Storage
ATAGS-T1084.012	VDSO Hijacking

Threat Actors may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process.

ID: ATAGS-T1084.011

Sub-technique of: ATAGS-T1084

ⓘ

Tactic: Privilege Escalation

ⓘ

Targeted Components: Software

ⓘ

Responsibility: Provider

Created: 18 April 2026

Last Modified: 18 April 2026

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.