T1574.013: KernelCallbackTable
Essential information
- MITRE technique ID
T1574.013- Confidence
- 100/100
- Revoked
- No
- Published
- 25/02/2022 16:27
- Modified
- 27/03/2026 01:11
- Author / Source
- The MITRE Corporation
Platforms
windows
Description
Adversaries may abuse the `KernelCallbackTable` of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The `KernelCallbackTable` can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once `user32.dll` is loaded.(Citation: Windows Process Injection KernelCallbackTable)
An adversary may hijack the execution flow of a process using the `KernelCallbackTable` by replacing an original callback function with a malicious payload. Modifying callback functions can be achieved in various ways involving related behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) or [Process Injection](https://attack.mitre.org/techniques/T1055) into another process.
A pointer to the memory address of the `KernelCallbackTable` can be obtained by locating the PEB (ex: via a call to the `NtQueryInformationProcess()` [Native API](https://attack.mitre.org/techniques/T1106) function).(Citation: NtQueryInformationProcess) Once the pointer is located, the `KernelCallbackTable` can be duplicated, and a function in the table (e.g., `fnCOPYDATA`) set to the address of a malicious payload (ex: via `WriteProcessMemory()`). The PEB is then updated with the new address of the table. Once the tampered function is invoked, the malicious payload will be triggered.(Citation: Lazarus APT January 2022)
The tampered function is typically invoked using a Windows message. After the process is hijacked and malicious code is executed, the `KernelCallbackTable` may also be restored to its original state by the rest of the malicious payload.(Citation: Lazarus APT January 2022) Use of the `KernelCallbackTable` to hijack execution flow may evade detection from security products since the execution can be masked under a legitimate process.
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | defense-evasion |
| mitre-attack | persistence |
| mitre-attack | privilege-escalation |
Marking (TLP)
Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.