CrowdStrike incorporated a CPU feature developed by Intel into its Falcon platform to detect complex attack techniques that would otherwise not be detected by the operating system, the company says.
The CPU feature, called the Intel Processor Trace (Intel PT), traces an executable while it runs, stores the trace on the disk, and afterward analyzes the trace to reproduce the exact sequence of instructions that was executed. Because Intel PT can record code execution on the process, it provides visibility in various areas of program behavior analysis, including static and dynamic analysis, performance analysis and diagnostics, exploit detection, software failure understanding, and postmortem crash dump analysis. The feature has been previously used by threat detection tools to enhance malware and exploit analysis.
CrowdStrike says Intel PT delivers extensive telemetry useful for the detection and prevention of code reuse exploits.
The Falcon sensor’s Hardware Enhanced Exploit Detection feature utilizes Intel PT telemetry to analyze the captured trace for a selected set of programs and looks for suspicious operations associated with exploit techniques, such as shellcode injection and return-oriented programming. On systems where Intel PT is enabled and supported, security software running in the kernel “can now check for different suspicious operations, like returns not matching calls, suspicious stack pointer loads, excessive use of indirect calls and jumps, and more,” CrowdStrike notes.
The feature has already been used to detect ROP-based exploit chains targeting Firefox, CrowdStrike says.
Intel PT has been present on Intel CPUs since the fifth generation (“Broadwell”), which means this feature is present on older systems. The combination of Intel PT with the Falcon sensor can provide memory safety protections for older systems lacking modern built-in security protections. Hardware Enhanced Exploit Detection is available with version 6.27 of the Falcon sensor for systems with Intel CPUs, sixth generation or newer, running Windows 10 RS4 or later.
Read more here from CrowdStrike.