CrowdStrike Incorporates Intel CPU Telemetry Into Falcon Sensor

The Falcon sensor uses Intel PT telemetry to identify suspicious operations associated with hard-to-detect exploit techniques.

CrowdStrike incorporated a CPU feature developed by Intel into its Falcon platform to detect complex attack techniques that would otherwise not be detected by the operating system, the company says.
The CPU feature, called the Intel Processor Trace (Intel PT), traces an executable while it runs, stores the trace on the disk, and afterward analyzes the trace to reproduce the exact sequence of instructions that was executed. Because Intel PT can record code execution on the process, it provides visibility in various areas of
program behavior analysis
, including static and dynamic analysis, performance analysis and diagnostics, exploit detection, software failure understanding, and postmortem crash dump analysis. The feature has been previously used by threat detection tools
to enhance malware and exploit analysis
.
CrowdStrike says Intel PT delivers extensive telemetry useful for the detection and prevention of code reuse exploits.
The Falcon sensors Hardware Enhanced Exploit Detection feature utilizes Intel PT telemetry to analyze the captured trace for a selected set of programs and looks for suspicious operations associated with exploit techniques, such as shellcode injection and return-oriented programming. On systems where Intel PT is enabled and supported, security software running in the kernel can now check for different suspicious operations, like returns not matching calls, suspicious stack pointer loads, excessive use of indirect calls and jumps, and more, CrowdStrike notes.
The feature has already been used to detect ROP-based exploit chains targeting Firefox, CrowdStrike says.
Intel PT has been present on Intel CPUs since the fifth generation (Broadwell), which means this feature is present on older systems. The combination of Intel PT with the Falcon sensor can provide memory safety protections for older systems lacking modern built-in security protections. Hardware Enhanced Exploit Detection is available with version 6.27 of the Falcon sensor for systems with Intel CPUs, sixth generation or newer, running Windows 10 RS4 or later.
Read more
here from CrowdStrike
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
CrowdStrike Incorporates Intel CPU Telemetry Into Falcon Sensor