Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1593: Analytic 1593

Unexpected modification of the KernelCallbackTable in a process’s PEB followed by invocation of modified callback functions (e.g., fnCOPYDATA) through Windows messages. Defender observes suspicious API call chains such as NtQueryInformationProcess → WriteProcessMemory → abnormal GUI callback execution, often correlating to anomalous process behavior such as network activity or code injection.

EnterpriseAN1593AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is important because it points to suspicious manipulation of a Windows process internals structure, the PEB KernelCallbackTable, followed by abnormal GUI callback execution through Windows messages. For leaders, the practical issue is whether the organization can see high-risk process tampering that may not look like ordinary malware execution at first glance. The value is in validating that Windows endpoint telemetry can connect memory modification, unusual API call sequences, GUI callback behavior, and follow-on anomalies such as network activity or code injection.

Executive priority

Prioritize this as a Windows endpoint detection-readiness question rather than a standalone risk claim. Security leaders should ask whether managed detection, SOC, and IR teams can investigate process memory modification and abnormal callback execution with enough evidence to support rapid containment decisions. This may matter for resilience and audit evidence because it tests whether endpoint monitoring goes beyond file-based alerts and can document suspicious process behavior chains.

Technical view

For SOC and detection teams, validate visibility into the described sequence: NtQueryInformationProcess followed by WriteProcessMemory and then abnormal GUI callback execution, including callbacks such as fnCOPYDATA, where available. Since ATT&CK provides no separate detection text or relationship context for this analytic, teams should treat it as a behavior-chain validation exercise on Windows endpoints. Correlate suspicious KernelCallbackTable modification with anomalous process behavior, including network activity or indicators of code injection, while tuning for legitimate GUI-heavy applications and software that may perform unusual inter-process operations.

Likely telemetry

  • Windows endpoint process telemetry
  • API call or endpoint detection telemetry for NtQueryInformationProcess and WriteProcessMemory
  • Process memory modification evidence
  • GUI or Windows message-related callback execution evidence where available
  • Process lineage and command context

Detection direction

  • Confirm whether endpoint tooling can observe or infer modification of a process PEB KernelCallbackTable on Windows systems.
  • Correlate API call chains rather than relying on a single event, especially NtQueryInformationProcess to WriteProcessMemory followed by abnormal callback execution.
  • Prioritize cases where the affected process also shows anomalous network activity or code injection-like behavior.
  • Tune expected activity from legitimate GUI applications, accessibility tools, security tools, and application frameworks that may generate unusual Windows messaging behavior.
  • Document telemetry gaps explicitly, because the official object does not provide a full detection procedure or mapped ATT&CK tactics.

Mitigation priorities

  • Ensure Windows endpoint monitoring is deployed on systems where process tampering visibility is required.
  • Prioritize EDR or host telemetry validation for process memory modification and cross-process write behavior.
  • Review alert triage playbooks so analysts know how to pivot from suspicious callback execution to process lineage, memory modification, network activity, and injection evidence.
  • Use incident response readiness exercises to confirm that teams can collect process, memory, and network context quickly enough for containment decisions.
  • Where compliance evidence is needed, retain records showing which Windows telemetry sources are collected and how process-tampering detections are reviewed.
Analyst notes and limits

This object is an ATT&CK detection analytic, not a technique description. It is Windows-specific and describes a suspicious behavioral chain involving KernelCallbackTable modification in a process PEB, Windows message callback invocation, and related API calls. No tactics, relationships, aliases, or separate official detection guidance were supplied, so local validation is required before treating this as production-ready coverage.

The supplied ATT&CK fields do not include active exploitation claims, attribution, impacted sectors, mapped techniques, tactics, mitigations, or detection logic. The recommendations here are limited to defensive validation implied by the official description and external reference.

Official MITRE ATT&CK definition

Analytic 1593

Unexpected modification of the KernelCallbackTable in a process’s PEB followed by invocation of modified callback functions (e.g., fnCOPYDATA) through Windows messages. Defender observes suspicious API call chains such as NtQueryInformationProcess → WriteProcessMemory → abnormal GUI callback execution, often correlating to anomalous process behavior such as network activity or code injection.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
4ab039de02c2926a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 4ab039de02c2…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1593
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use