CrowdStrike Incorporates Intel CPU Telemetry Into Falcon Sensor

  /     /     /  
Publicated : 23/11/2024   Category : security


CrowdStrike Incorporates Intel CPU Telemetry Into Falcon Sensor


The Falcon sensor uses Intel PT telemetry to identify suspicious operations associated with hard-to-detect exploit techniques.



CrowdStrike incorporated a CPU feature developed by Intel into its Falcon platform to detect complex attack techniques that would otherwise not be detected by the operating system, the company says.
The CPU feature, called the Intel Processor Trace (Intel PT), traces an executable while it runs, stores the trace on the disk, and afterward analyzes the trace to reproduce the exact sequence of instructions that was executed. Because Intel PT can record code execution on the process, it provides visibility in various areas of
program behavior analysis
, including static and dynamic analysis, performance analysis and diagnostics, exploit detection, software failure understanding, and postmortem crash dump analysis. The feature has been previously used by threat detection tools
to enhance malware and exploit analysis
.
CrowdStrike says Intel PT delivers extensive telemetry useful for the detection and prevention of code reuse exploits.
The Falcon sensors Hardware Enhanced Exploit Detection feature utilizes Intel PT telemetry to analyze the captured trace for a selected set of programs and looks for suspicious operations associated with exploit techniques, such as shellcode injection and return-oriented programming. On systems where Intel PT is enabled and supported, security software running in the kernel can now check for different suspicious operations, like returns not matching calls, suspicious stack pointer loads, excessive use of indirect calls and jumps, and more, CrowdStrike notes.
The feature has already been used to detect ROP-based exploit chains targeting Firefox, CrowdStrike says.
Intel PT has been present on Intel CPUs since the fifth generation (Broadwell), which means this feature is present on older systems. The combination of Intel PT with the Falcon sensor can provide memory safety protections for older systems lacking modern built-in security protections. Hardware Enhanced Exploit Detection is available with version 6.27 of the Falcon sensor for systems with Intel CPUs, sixth generation or newer, running Windows 10 RS4 or later.
Read more
here from CrowdStrike
.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
CrowdStrike Incorporates Intel CPU Telemetry Into Falcon Sensor