KernelCallbackTable

Information

• Name: KernelCallbackTable

• ID: T1574.013

• Tactics: TA0003, TA0004, TA0005

• Technique: T1574

Introduction

KernelCallbackTable (T1574.013) is a sub-technique under the MITRE ATT&CK framework's Hijack Execution Flow (T1574) category. Attackers exploit the Windows kernel callback mechanism by modifying kernel callback tables to redirect execution flow, allowing malicious code to execute covertly within legitimate system processes. By altering these callback pointers, adversaries can achieve persistence, privilege escalation, and stealthy execution, making detection and mitigation challenging.

Deep Dive Into Technique

Kernel callback tables are structures used by the Windows operating system kernel to define routines executed in response to specific events or system calls. These callback routines enable kernel-mode code to interact with user-mode processes, facilitating tasks such as process creation, thread initialization, or image loading.

Attackers leverage this mechanism by directly modifying entries within kernel callback tables, redirecting legitimate callback pointers to malicious payloads or shellcode. This technique typically requires kernel-level privileges, which attackers may gain through privilege escalation exploits or kernel driver vulnerabilities.

Technical execution details include:

• Identifying the kernel callback table structures in Windows kernel memory (e.g., PspCreateProcessNotifyRoutine, PspLoadImageNotifyRoutine, PspCreateThreadNotifyRoutine).

• Using kernel-mode drivers or exploits to gain write access to protected kernel memory.

• Overwriting legitimate callback function pointers with pointers to malicious kernel-mode payloads or shellcode.

• Ensuring the malicious payload executes in response to routine system events, blending seamlessly into normal system operations.

Real-world procedures often involve kernel-mode rootkits, custom malicious kernel drivers, or advanced persistence mechanisms that evade standard antivirus detection.

When this Technique is Usually Used

This sub-technique typically appears in advanced attack scenarios, including:

• Persistence: Attackers modify kernel callbacks to ensure malicious payloads execute automatically upon system events like process creation or image loading.

• Privilege Escalation: Adversaries exploit kernel callback manipulation to escalate privileges from user-mode to kernel-mode, gaining unrestricted system access.

• Defense Evasion: Kernel callback modifications allow attackers to bypass traditional user-mode security controls, antivirus solutions, and endpoint detection platforms.

• Stealthy Execution: Attackers utilize this technique to execute payloads within legitimate system processes, avoiding suspicion and minimizing forensic evidence.

Attack stages commonly associated with KernelCallbackTable manipulation include:

• Post-exploitation (after initial access and privilege escalation).

• Persistence establishment phase.

• Defense evasion and stealth maintenance.

How this Technique is Usually Detected

Detection of KernelCallbackTable manipulation can be challenging due to its kernel-level stealth. However, detection methods and indicators of compromise (IoCs) include:

• Kernel Memory Scans: Regularly scanning kernel memory structures to detect unauthorized modifications or hooks within callback tables.

• Integrity Checks: Implementing kernel integrity monitoring solutions capable of detecting changes to critical kernel callback structures (e.g., comparing current callback pointers with known legitimate values).

• Behavioral Monitoring: Monitoring for unusual kernel-mode activity, such as unexpected kernel driver loading or suspicious kernel-mode memory allocations.

• Event Log Analysis: Analyzing Windows event logs for irregular kernel driver installation or unexpected privilege escalation events.

• Endpoint Detection and Response (EDR) Tools: Employing advanced EDR platforms capable of identifying kernel-level rootkits and malicious driver behaviors through behavioral heuristics and kernel-level visibility.

Specific IoCs include:

• Unexpected or unknown kernel-mode drivers loaded into memory.

• Modified callback pointers in kernel memory structures.

• Suspicious kernel-mode memory regions or executable allocations.

• Unexplained system crashes or instability due to improper callback manipulation.

Why it is Important to Detect This Technique

Early detection of KernelCallbackTable manipulation is critical due to its severe security implications, including:

• Full System Compromise: Attackers gain kernel-level privileges, providing unrestricted access to system resources, data, and processes.

• Persistent Access: Kernel callback modifications enable attackers to maintain long-term persistence, surviving system reboots and standard security remediation efforts.

• Defense Evasion: Kernel-level execution allows attackers to bypass traditional antivirus and endpoint security controls, significantly complicating detection and response.

• Data Exfiltration and Espionage: Attackers can covertly monitor, intercept, or exfiltrate sensitive information at the kernel level, posing severe risks to organizational confidentiality and integrity.

• System Stability Risks: Malicious kernel modifications can lead to system instability, crashes, or performance degradation, impacting business operations and availability.

Due to these significant impacts, organizations must prioritize detection and mitigation strategies to protect critical assets and ensure operational continuity.

Examples

Real-world examples and scenarios involving KernelCallbackTable manipulation include:

• Turla Rootkit (Uroburos):

  • Attack Scenario: Nation-state espionage campaigns targeting government and military organizations.

  • Tools Used: Custom kernel-mode rootkits and drivers modifying kernel callbacks to execute malicious payloads stealthily.

  • Impact: Persistent access, covert data exfiltration, and prolonged espionage activities.

• ZeroAccess Rootkit:

  • Attack Scenario: Cybercriminal campaigns distributing malware for financial gain.

  • Tools Used: Kernel-mode rootkit modifying kernel callback structures to achieve persistence and evade detection.

  • Impact: Persistent malware infections, unauthorized cryptocurrency mining, click fraud, and compromised host stability.

• Necurs Botnet:

  • Attack Scenario: Large-scale spam distribution and malware campaigns.

  • Tools Used: Malicious drivers altering kernel callbacks to maintain persistence and evade security products.

  • Impact: Massive spam distribution, malware infection propagation, and compromised endpoint integrity.

These examples illustrate the severe risks and impacts associated with KernelCallbackTable manipulation, underscoring the importance of proactive detection, monitoring, and mitigation strategies.