In light of recent attacks that employed the kernel APC attack technique, such as WanaCrypt0r and Petya/NotPetya, Palo Alto Networks released a blog post detailing how kernel APC attacks work and why they are difficult to prevent.
In a nutshell, kernel APC attacks make legitimate programs run malicious code. Detecting and preventing these types of attacks is difficult, partly due to the challenge of identifying if executed commands are legitimate or not. Additionally, attempts to interfere with commands from legitimate programs are often avoided, as they can be problematic.
Traps stops threats, including kernel APC attacks, using a multi-method prevention approach. With its 4.1 release, Palo Alto Networks Traps advanced endpoint protection added a Kernel APC Protection module. Even if an attacker manages to inject shellcode into the kernel, Traps prevents legitimate processes from accessing and executing the shellcode. When an attack tries to redirect an Asynchronous Procedural Call, or APC, to make a legitimate process run illegitimate commands (and ultimately execute the shellcode), Traps blocks access to the shellcode without needing to interfere with the legitimate process.
In addition to preventing these types of attacks that leverage the kernel, Traps also prevents exploits from elevating kernel system privileges to execute unwanted or malicious code.
Click here to learn more about the unique features Traps offers to secure endpoints.