|T1574.001||DLL Search Order Hijacking|
|T1574.005||Executable Installer File Permissions Weakness|
|T1574.006||Dynamic Linker Hijacking|
|T1574.007||Path Interception by PATH Environment Variable|
|T1574.008||Path Interception by Search Order Hijacking|
|T1574.009||Path Interception by Unquoted Path|
|T1574.010||Services File Permissions Weakness|
|T1574.011||Services Registry Permissions Weakness|
Adversaries may abuse the
KernelCallbackTable of a process to hijack its execution flow in order to run their own payloads. The
KernelCallbackTable can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once
user32.dll is loaded.
An adversary may hijack the execution flow of a process using the
KernelCallbackTable by replacing an original callback function with a malicious payload. Modifying callback functions can be achieved in various ways involving related behaviors such as Reflective Code Loading or Process Injection into another process.
A pointer to the memory address of the
KernelCallbackTable can be obtained by locating the PEB (ex: via a call to the
NtQueryInformationProcess() Native API function). Once the pointer is located, the
KernelCallbackTable can be duplicated, and a function in the table (e.g.,
fnCOPYDATA) set to the address of a malicious payload (ex: via
WriteProcessMemory()). The PEB is then updated with the new address of the table. Once the tampered function is invoked, the malicious payload will be triggered.
The tampered function is typically invoked using a Windows message. After the process is hijacked and malicious code is executed, the
KernelCallbackTable may also be restored to its original state by the rest of the malicious payload. Use of the
KernelCallbackTable to hijack execution flow may evade detection from security products since the execution can be masked under a legitimate process.
|M1040||Behavior Prevention on Endpoint||
Some endpoint security solutions can be configured to block some types of behaviors related to process injection/memory tampering based on common sequences of indicators (ex: execution of specific API functions).
|ID||Data Source||Data Component||Detects|
|DS0009||Process||OS API Execution||
Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances. for known bad sequence of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as