Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1574.013: KernelCallbackTable

Adversaries may abuse the KernelCallbackTable of a process to hijack its execution flow in order to run their own payloads.[1][2] The KernelCallbackTable can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once user32.dll is loaded.[3]

An adversary may hijack the execution flow of a process using the KernelCallbackTable by replacing an original callback function with a malicious payload. Modifying callback functions can be achieved in various ways involving related behaviors such as Reflective Code Loading or Process Injection into another process.

A pointer to the memory address of the KernelCallbackTable can be obtained by locating the PEB (ex: via a call to the NtQueryInformationProcess() Native API function).[4] Once the pointer is located, the KernelCallbackTable can be duplicated, and a function in the table (e.g., fnCOPYDATA) set to the address of a malicious payload (ex: via WriteProcessMemory()). The PEB is then updated with the new address of the table. Once the tampered function is invoked, the malicious payload will be triggered.[1]

The tampered function is typically invoked using a Windows message. After the process is hijacked and malicious code is executed, the KernelCallbackTable may also be restored to its original state by the rest of the malicious payload.[1] Use of the KernelCallbackTable to hijack execution flow may evade detection from security products since the execution can be masked under a legitimate process.

EnterpriseT1574.013Sub-techniqueObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

KernelCallbackTable abuse is a Windows execution-hijacking technique where malicious code can run inside a legitimate GUI process by tampering with callback pointers in the Process Environment Block. For leaders, the material issue is not the specific Windows internals alone; it is that execution may appear to come from a trusted process and may be restored after use, making endpoint behavior visibility and incident triage discipline important.

Executive priority

Prioritize this as a Windows endpoint resilience and SOC-readiness concern. It sits under Hijack Execution Flow and is associated with stealth and execution, so leadership should ask whether endpoint controls can prevent or surface suspicious process behavior, memory modification, native API usage, and process injection patterns rather than relying only on file or signature detections. It is most relevant to environments where compromise of user workstations or servers could disrupt operations, weaken audit confidence, or complicate incident response.

Technical view

For SOC, detection engineering, and IR teams, validate coverage around Windows GUI processes where user32.dll is loaded, PEB-related access, KernelCallbackTable tampering, suspicious use of NtQueryInformationProcess and WriteProcessMemory, process injection or reflective code loading context, and Windows-message-triggered execution. Because MITRE provides no official detection text, use the related DET0577 detection strategy as a starting point but confirm what it actually requires in local telemetry. Investigations should look for legitimate processes exhibiting unusual memory writes, callback table changes, or execution behavior inconsistent with normal application activity.

Likely telemetry

  • Endpoint process creation and parent-child process context
  • Endpoint API or behavioral telemetry for NtQueryInformationProcess and WriteProcessMemory
  • Memory access and process injection telemetry
  • Module-load context for GUI processes, including user32.dll where available
  • EDR events for suspicious process behavior and anomalous code execution inside legitimate processes

Detection direction

  • Validate whether endpoint tooling can observe suspicious memory writes into another process and PEB-related manipulation, not just command-line activity.
  • Tune detections around combinations of native API usage, process injection indicators, and anomalous execution from legitimate GUI processes to reduce false positives from benign developer, accessibility, or administrative tools.
  • Use relationship context: this is a sub-technique of Hijack Execution Flow and may overlap with Process Injection, Reflective Code Loading, and Native API behaviors described in the ATT&CK text.
  • Account for the stated blind spot that execution may be masked under a legitimate process and the KernelCallbackTable may be restored after payload execution.
  • Review the related DET0577 strategy, but do not assume coverage until required data sources and analytics are tested in the local environment.

Mitigation priorities

  • Prioritize behavior prevention on endpoint, consistent with M1040, focusing on suspicious process behavior, API activity, and memory manipulation rather than signatures alone.
  • Ensure EDR or endpoint protection policies are configured to block or alert on process injection-style behavior where operationally safe.
  • Harden incident response playbooks for suspicious legitimate-process execution, including memory capture and process lineage review.
  • Use application control and least-privilege practices as supporting controls, while recognizing this technique may be used to evade some execution restrictions.
  • Regularly test endpoint detections against safe, controlled simulations of hijack-execution-flow behaviors rather than assuming visibility from general malware prevention.
Analyst notes and limits

The supplied ATT&CK object identifies Windows as the platform, stealth and execution as tactics, and links the behavior to Hijack Execution Flow. Relationship context notes use by Lazarus Group and FinFisher, but that should be treated as historical ATT&CK relationship context only, not evidence of current activity in any environment.

MITRE did not provide official detection guidance for this object in the supplied fields. Specific analytics, data source mappings, and prevention efficacy must be validated against the organization’s endpoint tooling and Windows telemetry. No claims are made here about active exploitation, customer exposure, or guaranteed detection.

Official MITRE ATT&CK definition

KernelCallbackTable

Adversaries may abuse the KernelCallbackTable of a process to hijack its execution flow in order to run their own payloads.[1][2] The KernelCallbackTable can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once user32.dll is loaded.[3]

An adversary may hijack the execution flow of a process using the KernelCallbackTable by replacing an original callback function with a malicious payload. Modifying callback functions can be achieved in various ways involving related behaviors such as Reflective Code Loading or Process Injection into another process.

A pointer to the memory address of the KernelCallbackTable can be obtained by locating the PEB (ex: via a call to the NtQueryInformationProcess() Native API function).[4] Once the pointer is located, the KernelCallbackTable can be duplicated, and a function in the table (e.g., fnCOPYDATA) set to the address of a malicious payload (ex: via WriteProcessMemory()). The PEB is then updated with the new address of the table. Once the tampered function is invoked, the malicious payload will be triggered.[1]

The tampered function is typically invoked using a Windows message. After the process is hijacked and malicious code is executed, the KernelCallbackTable may also be restored to its original state by the rest of the malicious payload.[1] Use of the KernelCallbackTable to hijack execution flow may evade detection from security products since the execution can be masked under a legitimate process.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1574 Hijack Execution Flow This object subtechnique of Hijack Execution Flow.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0032: Lazarus Group

Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). [1] [2] Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[3]

North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.[4][5][6]

Malware Enterprise

S0182: FinFisher

FinFisher is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including Wingbird. [1] [2] [3] [4] [5]

WindowsAndroid
Relationship explorer

All related ATT&CK context

detects · Detection Strategy DET0577: Detection Strategy for Hijack Execution Flow through the KernelCallbackTable on Windows. Enterprise subtechnique of · Technique T1574: Hijack Execution Flow Enterprise mitigates · Mitigation M1040: Behavior Prevention on Endpoint Enterprise uses · Group G0032: Lazarus Group Enterprise uses · Malware S0182: FinFisher Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1040: Behavior Prevention on Endpoint

Behavior Prevention on Endpoint refers to the use of technologies and strategies to detect and block potentially malicious activities by analyzing the behavior of processes, files, API calls, and other endpoint events. Rather than relying solely on known signatures, this approach leverages heuristics, machine learning, and real-time monitoring to identify anomalous patterns indicative of an attack. This mitigation can be implemented through the following measures:

Suspicious Process Behavior:

- Implementation: Use Endpoint Detection and Response (EDR) tools to monitor and block processes exhibiting unusual behavior, such as privilege escalation attempts. - Use Case: An attacker uses a known vulnerability to spawn a privileged process from a user-level application. The endpoint tool detects the abnormal parent-child process relationship and blocks the action.

Unauthorized File Access:

- Implementation: Leverage Data Loss Prevention (DLP) or endpoint tools to block processes attempting to access sensitive files without proper authorization. - Use Case: A process tries to read or modify a sensitive file located in a restricted directory, such as /etc/shadow on Linux or the SAM registry hive on Windows. The endpoint tool identifies this anomalous behavior and prevents it.

Abnormal API Calls:

- Implementation: Implement runtime analysis tools to monitor API calls and block those associated with malicious activities. - Use Case: A process dynamically injects itself into another process to hijack its execution. The endpoint detects the abnormal use of APIs like `OpenProcess` and `WriteProcessMemory` and terminates the offending process.

Exploit Prevention:

- Implementation: Use behavioral exploit prevention tools to detect and block exploits attempting to gain unauthorized access. - Use Case: A buffer overflow exploit is launched against a vulnerable application. The endpoint detects the anomalous memory write operation and halts the process.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
995f245fe626bda0...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle 995f245fe626…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Lazarus APT January 2022

    Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.

    Open source URL
  2. [2]
    FinFisher exposed

    Microsoft Defender Security Research Team. (2018, March 1). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved January 27, 2022.

    Open source URL
  3. [3]
    Windows Process Injection KernelCallbackTable

    odzhan. (2019, May 25). Windows Process Injection: KernelCallbackTable used by FinFisher / FinSpy. Retrieved February 4, 2022.

    Open source URL
  4. [4]
    NtQueryInformationProcess

    Microsoft. (2021, November 23). NtQueryInformationProcess function (winternl.h). Retrieved February 4, 2022.

    Open source URL
  5. [5]
    mitre-attack T1574.013
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use