Kernel APC Protection

Traps extends its kernel protection capabilities with the new Kernel APC Protection module. The exploit protection module (EPM) prevents attacks which leverage the kernel to load and run malicious shellcode. With this type of attack, the attacker must perform two main steps to exploit the endpoint:
  • First, the attacker must inject shellcode into the kernel. This shellcode contains the specific instructions that enable the attacker to access and use an endpoint to their advantage and is typically stored in an unmapped location of memory. While there are many methods by which an attacker can deliver shellcode to an endpoint, many attackers favor backdoor injection tools such as DoublePulsar and EternalBlue, which target specific vulnerabilities in unpatched Windows operating systems.
  • After the shellcode is in place, the attacker must run the shellcode. With this technique, the attacker redirects an asynchronous procedure call (APC) from a legitimate procedure to the location in memory where the malicious shellcode is stored. When the procedure runs, the APC attempts to access the shellcode at the specified memory address.
To block the attack, Traps focuses on the latter stage to detect and block access to the unmapped memory locations. When a prevention occurs, Traps blocks access to the shellcode without harming or blocking the legitimate process. This enables the process, which the system may require, to run while halting the malicious activity.
By default, the Kernel APC Protection module is enabled on all endpoints running Windows XP and later releases to protect the Local Security Authority Subsystem Service (lsass.exe).
  1. From the ESM Console, select PoliciesExploitKernel Protection Modules.
  2. Select the Windows tab.
  3. From the action menu manage-hidden-menu-icon.png , Add a new exploit protection rule .
  4. Select Kernel APC Protection and configure the rule settings:
    kernel-process-redirection-epm.png
    • Activation—Select On to enable Kernel APC Protection or Off to disable Kernel APC Protection protection.
    • Action—Select the action to take when Traps detects an attempt to exploit the operating system kernel: Block access to the unmapped memory location (Prevention), or permit access to the memory location and log the issue (Notification). Alternatively, you can inherit the behavior from the preceding rule in the rule hierarchy.
      To view additional details about the default policy select manage-hidden-menu-icon.png Show Default Rules.
    • User Alert—Specify the notification behavior when Traps detects an attempt to exploit the operating system kernel, either On to notify the user, or Off to suppress notifications. If you choose to Inherit the behavior, Traps defers to the default policy for the notification behavior.
  5. Select a Source Process to which to apply Kernel APC Protection.
    As you type, the ESM Console provides auto-completion based on the list of processes defined in the ESM Console.
  6. (Optional) To specify additional match criteria such as a specific version or range of versions for the operating system:
    1. Select the Conditions tab.
    2. Select the condition and Add it to the Selected Conditions list. Repeat this step to add more Conditions , as needed. To add a new condition to the conditions list, see Define Activation Conditions for a Rule .
  7. (Optional) Define the Target Objects to which to apply the exploit protection rule. By default, a new rule applies to all objects in your organization. To define a subset of target objects, select the Objects tab, and then enter one or more Users, Computers, Groups, Organizational Unit, or Existing Endpoints in the Include or Exclude areas. The Endpoint Security Manager queries Active Directory to verify the users, computers, groups, or organizational units or identifies existing endpoints from previous communication messages.
  8. To save the rule, do either of the following:
    • Save the rule and Activate it later from the rule management page.
    • Apply the rule to activate it immediately. The ESM Server distributes the rule at the next heartbeat communication with the agent.
    After saving or applying a rule, you can return to the PoliciesExploitKernel Protection Modules page at any time to Delete or Deactivate the rule.
  9. To view security events triggered by the EPM, see the Exploits pages:
    • Prevention events—Security EventsPreventionsExploits.
    • Notification-only events—Security EventsNotificationsExploits.
    Each security event identifies the parent (source) process and the callback address.

Related Documentation