EXPLORE
Sign In
← Back to Explore
T1574.013

KernelCallbackTable

Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable) An adversary may hijack the exe...

Windows
2
Detections
1
Sources
1
Threat Actors

BY SOURCE

2elastic

PROCEDURES (2)

Kernel Monitoring1 detections

Auto-extracted: 1 detections for kernel monitoring

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

THREAT ACTORS (1)

Lazarus Group

DETECTIONS (2)

Suspicious Kworker UID Elevation
elasticmedium
UID Elevation from Previously Unknown Executable
elastichigh