Unexpected modification of the KernelCallbackTable in a process’s PEB followed by invocation of modified callback functions (e.g., fnCOPYDATA) through Windows messages. Defender observes suspicious API call chains such as NtQueryInformationProcess → WriteProcessMemory → abnormal GUI callback execution, often correlating to anomalous process behavior such as network activity or code injection.
| Data Component | Name | Channel |
|---|---|---|
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| OS API Execution (DC0021) | etw:Microsoft-Windows-Kernel-Process | WriteProcessMemory: WriteProcessMemory targeting regions containing KernelCallbackTable addresses |
| Field | Description |
|---|---|
| MonitoredProcesses | GUI applications (e.g., explorer.exe, notepad.exe) where KernelCallbackTable abuse is more likely. |
| CallbackFunctions | Specific callback functions (e.g., fnCOPYDATA, fnDWORD) expected to remain stable. |
| TimeWindow | Correlation interval between WriteProcessMemory calls and execution of modified callback functions. |
| AccessMaskThresholds | Access rights values that should be flagged when targeting GUI processes. |