{"off_to_def":{"head":{"vars":["def_tactic_label","def_tactic_rel_label","def_tech_parent_is_toplevel","def_tech_parent_label","def_tech_label","def_tech_id","def_artifact_rel_label","def_artifact_label","sc","off_artifact_label","off_artifact_rel_label","off_tech_label","off_tactic_rel_label","off_tactic_label","def_tactic","def_tactic_rel","def_tech","def_artifact_rel","def_artifact","off_artifact","off_artifact_rel","off_tech","off_tech_id","off_tactic_rel","off_tactic"]},"results":{"bindings":[]}},"description":{"@context":{"rdfs":"http://www.w3.org/2000/01/rdf-schema#","owl":"http://www.w3.org/2002/07/owl#","d3f":"http://d3fend.mitre.org/ontologies/d3fend.owl#","skos":"http://www.w3.org/2004/02/skos/core#"},"@graph":[{"@id":"d3f:T1574.013","@type":"owl:Class","d3f:attack-id":"T1574.013","d3f:definition":"Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)","rdfs:label":"KernelCallbackTable","rdfs:subClassOf":{"@id":"d3f:T1574"}}]},"subtechniques":{"@context":{"rdfs":"http://www.w3.org/2000/01/rdf-schema#","owl":"http://www.w3.org/2002/07/owl#","d3f":"http://d3fend.mitre.org/ontologies/d3fend.owl#","skos":"http://www.w3.org/2004/02/skos/core#"},"@graph":[]}}