Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)
An adversary may hijack the execution flow of a process using the <code>KernelCallbackTable</code> by replacing an original callback function with a malicious payload. Modifying callback functions can be achieved in various ways involving related behaviors such as Reflective Code Loading or Process Injection into another process.
A pointer to the memory address of the <code>KernelCallbackTable</code> can be obtained by locating the PEB (ex: via a call to the <code>NtQueryInformationProcess()</code> Native API function).(Citation: NtQueryInformationProcess) Once the pointer is located, the <code>KernelCallbackTable</code> can be duplicated, and a function in the table (e.g., <code>fnCOPYDATA</code>) set to the address of a malicious payload (ex: via <code>WriteProcessMemory()</code>). The PEB is then updated with the new address of the table. Once the tampered function is invoked, the malicious payload will be triggered.(Citation: Lazarus APT January 2022)
The tampered function is typically invoked using a Windows message. After the process is hijacked and malicious code is executed, the <code>KernelCallbackTable</code> may also be restored to its original state by the rest of the malicious payload.(Citation: Lazarus APT January 2022) Use of the <code>KernelCallbackTable</code> to hijack execution flow may evade detection from security products since the execution can be masked under a legitimate process.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-01.08 | End-user device protection | Mitigates | T1574.013 | KernelCallbackTable |
Comments
This diagnostic statement protects endpoints from certain types of behaviors related to process injection/memory tampering through configuration requirements, connection requirements, and other mechanisms to protect network, application, and data integrity.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-07 | Continuous Monitoring | mitigates | T1574.013 | KernelCallbackTable | |
| SI-02 | Flaw Remediation | mitigates | T1574.013 | KernelCallbackTable | |
| SI-10 | Information Input Validation | mitigates | T1574.013 | KernelCallbackTable | |
| SI-03 | Malicious Code Protection | mitigates | T1574.013 | KernelCallbackTable | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1574.013 | KernelCallbackTable | |
| CM-02 | Baseline Configuration | mitigates | T1574.013 | KernelCallbackTable | |
| SI-04 | System Monitoring | mitigates | T1574.013 | KernelCallbackTable |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1574.013 | KernelCallbackTable |
Comments
This control can detect windows API calls on VMs indicative of Hijacking Execution Flow via KernelCallBack table such as WriteProcessMemory() and NtQueryInformationProcess().
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1574.013 | KernelCallbackTable |
Comments
Google Search Operations can alert based on Windows API calls such as WriteProcessMemory() and NtQueryInformationProcess().
References
|