Introduction

This document and video will demonstrate how to enable kernel exploit prevention to protect hosts from sophisticated attacks that attempt kernel code execution.

Video

Overview

Malware, and in particular ransomware, is increasingly using sophisticated attack chains to bypass traditional AV and execute successfully. As an example, the Robinhood ransomware was updated to load and exploit a legitimately signed driver as a mechanism to achieve kernel code execution. With a lot of endpoint solutions, the malware can execute and successfully encrypt the file system because the driver appears to be legitimate. 

Even with a detection only policy, execution of the Robinhood ransomware triggers multiple CrowdStrike detections as shown below. While machine learning correctly identifies the ransomware, Falcon also detects data encryption as well as kernel level defense evasion.

Enabling Kernel Exploit Prevention

To prevent this type of attack, a simple policy change is required. Along with machine learning and behavioral based protections, CrowdStrike can also block executions by category. For this attack, enabling the prevention of  “Suspicious Kernel Drivers” will ensure that any driver found to be malicious by CrowdStrike will be blocked from loading.

Kernel Exploit Protection

With prevention enabled, the attack fails and the files are not encrypted. The execution details illustrate that CrowdStrike blocked the operation to start a malicious driver. The critical severity detection includes the tactic, technique and ID, as well as the triggering indicator of attack and a written description.

Closing

While the use of legitimate drivers might bypass traditional anti virus, CrowdStrike’s easy to configure prevention capabilities enable detection of malicious drivers and protect organizations against sophisticated attacks.

More resources

• CrowdStrike Tech Center
• Sign up for a weekly Falcon demo
• Request a 1:1 Demo
• Guide to AV Replacement
• CrowdStrike Products