Description
Adversaries may abuse the KernelCallbackTable of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The KernelCallbackTable can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once user32.dll is loaded.(Citation: Windows Process Injection KernelCallbackTable)
An adversary may hijack the execution flow of a process using the KernelCallbackTable by replacing an original callback function with a malicious payload. Modifying callback functions can be achieved in various ways involving related behaviors such as Reflective Code Loading or Process Injection into another process.
A pointer to the memory address of the KernelCallbackTable can be obtained by locating the PEB (ex: via a call to the NtQueryInformationProcess() Native API function).(Citation: NtQueryInformationProcess) Once the pointer is located, the KernelCallbackTable can be duplicated, and a function in the table (e.g., fnCOPYDATA) set to the address of a malicious payload (ex: via WriteProcessMemory()). The PEB is then updated with the new address of the table. Once the tampered function is invoked, the malicious payload will be triggered.(Citation: Lazarus APT January 2022)
The tampered function is typically invoked using a Windows message. After the process is hijacked and malicious code is executed, the KernelCallbackTable may also be restored to its original state by the rest of the malicious payload.(Citation: Lazarus APT January 2022) Use of the KernelCallbackTable to hijack execution flow may evade detection from security products since the execution can be masked under a legitimate process.
Platforms
Mitigations (1)
Behavior Prevention on EndpointM1040
Some endpoint security solutions can be configured to block some types of behaviors related to process injection/memory tampering based on common sequences of indicators (ex: execution of specific API functions).
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has abused the <code>KernelCallbackTable</code> to hijack process control flow and execute shel... |
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S0182 | FinFisher | Malware | [FinFisher](https://attack.mitre.org/software/S0182) has used the <code>KernelCallbackTable</code> to hijack the execution flow of a process by replac... |
References
- Microsoft Defender Security Research Team. (2018, March 1). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved January 27, 2022.
- Microsoft. (2021, November 23). NtQueryInformationProcess function (winternl.h). Retrieved February 4, 2022.
- odzhan. (2019, May 25). Windows Process Injection: KernelCallbackTable used by FinFisher / FinSpy. Retrieved February 4, 2022.
- Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
Frequently Asked Questions
What is T1574.013 (KernelCallbackTable)?
T1574.013 is a MITRE ATT&CK technique named 'KernelCallbackTable'. It belongs to the Stealth, Execution tactic(s). Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed...
How can T1574.013 be detected?
Detection of T1574.013 (KernelCallbackTable) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1574.013?
There are 1 documented mitigations for T1574.013. Key mitigations include: Behavior Prevention on Endpoint.
Which threat groups use T1574.013?
Known threat groups using T1574.013 include: Lazarus Group.