{"id":45150,"date":"2017-10-06T05:00:49","date_gmt":"2017-10-06T12:00:49","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=45150"},"modified":"2026-06-11T15:28:51","modified_gmt":"2026-06-11T22:28:51","slug":"threat-brief-understanding-kernel-apc-attacks","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2017\/10\/threat-brief-understanding-kernel-apc-attacks\/","title":{"rendered":"Threat Brief: Understanding Kernel APC Attacks"},"content":{"rendered":"

In the months since the WanaCrypt0r\/WannaCry<\/a> and the Petya\/NotPetya<\/a> attacks, security researchers have delved into the nuts and bolts these incidents and the malware involved.<\/p>\n

One key thing that research into these security incidents shows is that these attacks used a relatively new and unknown technique called kernel APC attacks<\/strong> as part of their toolkit.<\/p>\n

Kernel APC attacks occur in a way that increases the \u201cstealth\u201d factor and makes standard detection and prevention very difficult. And kernel APC attacks do this while still maximizing the power and control that the code has on the target system.<\/p>\n

While kernel APC attacks aren\u2019t well known and can be hard to understand, their proven success in WanaCrypt0r\/WannaCry<\/a> and the Petya\/NotPetya<\/a> make them an important threat to understand because proven attack techniques are quickly adopted widely. And understanding is a first step to prevention.<\/p>\n

To understand what makes kernel APC attacks so dangerous, it\u2019s important to understand what they are.<\/p>\n

The kernel is the heart of the operating system. When talking about operating systems with security permissions and controls like Windows or UNIX\/Linux, the kernel operates with the highest level of control<\/a>. Because of this, attacks against the kernel are used to gain complete control over a system, generally as part of an \u201celevation or privilege\u201d (EoP) or \u201cprivilege escalation\u201d attack<\/a>. Typically, attacks against the kernel are used in conjunction with code execution attacks so that an attacker can target a limited privilege user but ultimately gain full control over the system.<\/p>\n

Privilege escalation attacks against the kernel have been around for some time and are well-known and can be well protected against.<\/p>\n

Kernel APC attacks however are a different class of attack. These don\u2019t attack the kernel to gain privileges. Instead kernel APC attacks already have kernel privileges and use them to further carry out their attack. In this case by making legitimate programs execute malicious code rather than their own legitimate code.<\/p>\n

Kernel APC attacks do this using their control over the kernel to redirect APCs: \u201cAsynchronous Procedure Calls<\/a>\u201d. APCs can basically be thought of as places in line for the CPU that the kernel gives access to. In a kernel APC attack, the attacker gives a legitimate program\u2019s place in line to the attacker\u2019s code.<\/p>\n

The crux of what makes this attack technique so important is how the technique uses this level of control to have legitimate programs run illegitimate commands. It\u2019s easier to detect and prevent illegitimate programs (malware) from executing commands. But when legitimate programs execute illegitimate commands, it\u2019s harder to detect and prevent: it\u2019s not always clear whether a command is legitimate or not, and interfering with commands from legitimate programs can have significant (sometimes catastrophic) unintended consequences. And finally because of ways that kernel APC attacks are carried out, it doesn\u2019t leave the usual fingerprints you find after an attack making detection harder still.<\/p>\n

Taken altogether, these make kernel APC attacks an effective and sophisticated technique. And while this technique alone isn\u2019t solely responsible for the damaging power of WanaCrypt0r\/WannaCry<\/a> and Petya\/NotPetya<\/a> it is certainly an important contributing factor.<\/p>\n

Perhaps more importantly, it\u2019s a piece of those attacks that has escaped relative notice outside of some specialized parts of the research community.<\/p>\n

New effective attack techniques that escape notice are always inviting for other copycat attackers. A good way to defend against this is to understand and be aware of the thread: forewarned is forearmed.<\/p>\n

If you want a more detailed understanding of kernel APC attacks as they occurred in WanaCrypt0r\/WannaCry<\/a>, two good resources are Microsoft\u2019s MMPC blog \u201cWannaCrypt ransomware worm targets out-of-date systems<\/a>\u201d and Countercept\u2019s \u201cDOUBLEPULSAR Usermode Analysis: Generic Reflective DLL Loader<\/a>\u201d.<\/p>\n","protected":false},"excerpt":{"rendered":"

Threat Brief: Understanding Kernel APC Attacks.<\/p>\n","protected":false},"author":287,"featured_media":25785,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[10737],"tags":[4641,4638,3955,3952,221,3749,3752,3758,3755,3761,311],"coauthors":[3069],"class_list":["post-45150","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-threat-intelligence","tag-apc","tag-kernel","tag-petya","tag-petya-ransomware","tag-ransomware","tag-wannacry","tag-wannacrypt","tag-wannacrypt0r","tag-wannacryptor","tag-wcry","tag-worm"],"jetpack_featured_media_url":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2017\/03\/Linkedin.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/45150","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/287"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=45150"}],"version-history":[{"count":1,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/45150\/revisions"}],"predecessor-version":[{"id":45153,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/45150\/revisions\/45153"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/25785"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=45150"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=45150"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=45150"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=45150"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}