T1212 Exploitation for Credential Access Mappings

Windows Kernel Data Protection uses VBS (Intel PTT, Intel VT-x, Intel VT-d, Intel VT-rp, and Intel BootGuard) to protect kernel data, kernel data structures, and OS drivers from tampering attacks. With KDP, software running in kernel-mode can protect read-only memory statically (a section of its own image) or dynamically (pool memory that can be initialized only once). KDP only establishes write protections in VTL1 for the GPAs backing a protected memory region using the SLAT page tables for the hypervisor to enforce. This way, no software running in the NT kernel (VTL0) can have the permissions needed to change the memory. The goal of using KDP is to protect internal policy state after it has been initialized (i.e., read from the registry or generated at boot time). These data structures are critical to protect as if they are tampered with a driver that is properly signed but vulnerable could attack the policy data structures and then install an unsigned driver on the system. With KDP, this attack is mitigated by ensuring the policy data structures cannot be tampered with. The score of significant highlights this real-time protection of the kernel data, data structures, and drivers from tampering attacks. HW Enforced stack protection (HWESP) relies on Virtualization Based Security (VBS) which use Intel PTT, Intel VT-x, Intel VT-d and Intel BootGuard to ensure the OS components loaded are not tampered with and isolate security sensitive processes. Additionally, it uses Intel Control Flow Enforcement Technology (Intel CET) to allow hardware to ensure that sensitive areas in the regions of memory (such as the stack) for processes are not tampered with by either injecting code or changing the control flow of the code or both. HWESP includes four components Code Integrity Guard, Arbitrary Code Guard, Control Flow Guard and Shadow Stack protections. Code Integrity Guard attempts to prevent "... arbitrary code generation by enforcing signature requirements for loading binaries". Arbitrary Code Guard attempts to ensure "... signed pages are immutable and dynamic code cannot be generated ...". Control Flow Guard ensures control flow integrity by enforcing "... integrity on indirect calls (forward-edge CFI)." Shadow Stack ensures control flow integrity by enforcing "... integrity on return addresses on the stack (backward-edge CFI)." Together these features aim to ensure integrity of binary images run on Windows 11 and prevent dynamic code from running or changing the control flow of the code. Since these features offer real-time protection for sensitive regions of memory, these are marked as offering significant protection.

Windows Kernel Data Protection uses VBS (Intel PTT, Intel VT-x, Intel VT-d, Intel VT-rp, and Intel BootGuard) to protect kernel data, kernel data structures, and OS drivers from tampering attacks. With KDP, software running in kernel-mode can protect read-only memory statically (a section of its own image) or dynamically (pool memory that can be initialized only once). KDP only establishes write protections in VTL1 for the GPAs backing a protected memory region using the SLAT page tables for the hypervisor to enforce. This way, no software running in the NT kernel (VTL0) can have the permissions needed to change the memory. The goal of using KDP is to protect internal policy state after it has been initialized (i.e., read from the registry or generated at boot time). These data structures are critical to protect as if they are tampered with a driver that is properly signed but vulnerable could attack the policy data structures and then install an unsigned driver on the system. With KDP, this attack is mitigated by ensuring the policy data structures cannot be tampered with. The score of significant highlights this real-time protection of the kernel data, data structures, and drivers from tampering attacks. HW Enforced stack protection (HWESP) relies on Virtualization Based Security (VBS) which use Intel PTT, Intel VT-x, Intel VT-d and Intel BootGuard to ensure the OS components loaded are not tampered with and isolate security sensitive processes. Additionally, it uses Intel Control Flow Enforcement Technology (Intel CET) to allow hardware to ensure that sensitive areas in the regions of memory (such as the stack) for processes are not tampered with by either injecting code or changing the control flow of the code or both. HWESP includes four components Code Integrity Guard, Arbitrary Code Guard, Control Flow Guard and Shadow Stack protections. Code Integrity Guard attempts to prevent "... arbitrary code generation by enforcing signature requirements for loading binaries". Arbitrary Code Guard attempts to ensure "... signed pages are immutable and dynamic code cannot be generated ...". Control Flow Guard ensures control flow integrity by enforcing "... integrity on indirect calls (forward-edge CFI)." Shadow Stack ensures control flow integrity by enforcing "... integrity on return addresses on the stack (backward-edge CFI)." Together these features aim to ensure integrity of binary images run on Windows 11 and prevent dynamic code from running or changing the control flow of the code. Since these features offer real-time protection for sensitive regions of memory, these are marked as offering significant protection.

CrowdStrike Falcon Hardware Enhanced Exploit Detection (HEED) is an advanced security feature that integrates Intel Processor Trace (Intel PT) technology to provide a higher level of visibility into complex attack techniques, such as the real-time detection of software vulnerabilities targeting credential access. These exploits often involve attackers manipulating flaws in software, services, or the operating system itself to execute malicious code and gain unauthorized access to user credentials or system-level privileges. This significant capability enables security teams to spot abnormal behavior such as suspicious API calls, unexpected code paths, or attempts to extract sensitive information. With Intel PT’s telemetry stream, HEED makes it easier to detect exploitation techniques typically used in credential theft. By combining Intel PT’s granular telemetry with advanced detection algorithms, HEED offers enhanced protection against evasive attacks that might bypass traditional security defenses. It enables organizations to proactively identify and mitigate credential access exploits, ensuring stronger protection for sensitive data and internal systems against evolving cyber threats.