Skip to content

DET0577 Detection Strategy for Hijack Execution Flow through the KernelCallbackTable on Windows.

Item Value
ID DET0577
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1574.013 (KernelCallbackTable)

Analytics

Windows

AN1593

Unexpected modification of the KernelCallbackTable in a process’s PEB followed by invocation of modified callback functions (e.g., fnCOPYDATA) through Windows messages. Defender observes suspicious API call chains such as NtQueryInformationProcess → WriteProcessMemory → abnormal GUI callback execution, often correlating to anomalous process behavior such as network activity or code injection.

Log Sources
Data Component Name Channel
Process Access (DC0035) WinEventLog:Sysmon EventCode=10
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
OS API Execution (DC0021) etw:Microsoft-Windows-Kernel-Process WriteProcessMemory: WriteProcessMemory targeting regions containing KernelCallbackTable addresses
Mutable Elements
Field Description
MonitoredProcesses GUI applications (e.g., explorer.exe, notepad.exe) where KernelCallbackTable abuse is more likely.
CallbackFunctions Specific callback functions (e.g., fnCOPYDATA, fnDWORD) expected to remain stable.
TimeWindow Correlation interval between WriteProcessMemory calls and execution of modified callback functions.
AccessMaskThresholds Access rights values that should be flagged when targeting GUI processes.