Exploit of privilege detection framework

US 10,565,378 B1
Filed: 06/29/2016
Issued: 02/18/2020
Est. Priority Date: 12/30/2015
Status: Active Grant

First Claim

Patent Images

1. A non-transitory storage medium having stored thereon logic, the logic being executable by one or more processors to perform operations including:

responsive to detecting creation of a first process, adding data to a privilege list, the data including (i) identification information of the first process and (ii) an initial privilege of the first process, wherein the data added to the privilege list is set forth in a first token associated with the first process, and the first token being associated with the first process in a one-to-one mapping at a time the data is added to the privilege list;

detecting performance of one or more operations and a modification of the first token that is associated with the first process, wherein the modification of the first token alters a current privilege of the first process to be greater than the initial privilege;

responsive to detecting the performance of the one or more operations and the modification of the first token, comparing a current privilege of the first process with the initial privilege of the first process recorded in the privilege list;

determining a change exists between the current privilege of the first process and the initial privilege of the first process that is greater than a predetermined threshold;

responsive to determining the change exists between the current privilege of the first process and the initial privilege of the first process that is greater than the predetermined threshold, determining the first process is operating with the current privilege due to an exploit of privilege attack; and

responsive to determining the first process is operating with the current privilege due to an exploit of privilege attack, generating an alert that the first process operating with the current privilege due to the exploit of privilege attack.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A non-transitory storage medium having stored thereon logic, the logic being executable by one or more processors to perform operations including comparing a current privilege of a first process with an initial privilege of the first process recorded in a privilege list, and responsive to determining a change exists between the current privilege of the first process and the initial privilege of the first process that is greater than a predetermined threshold, determining the first process is operating with the current privilege due to an exploit of privilege attack is shown.

Citations

27 Claims

1. A non-transitory storage medium having stored thereon logic, the logic being executable by one or more processors to perform operations including:
- responsive to detecting creation of a first process, adding data to a privilege list, the data including (i) identification information of the first process and (ii) an initial privilege of the first process, wherein the data added to the privilege list is set forth in a first token associated with the first process, and the first token being associated with the first process in a one-to-one mapping at a time the data is added to the privilege list;
  
  detecting performance of one or more operations and a modification of the first token that is associated with the first process, wherein the modification of the first token alters a current privilege of the first process to be greater than the initial privilege;
  
  responsive to detecting the performance of the one or more operations and the modification of the first token, comparing a current privilege of the first process with the initial privilege of the first process recorded in the privilege list;
  
  determining a change exists between the current privilege of the first process and the initial privilege of the first process that is greater than a predetermined threshold;
  
  responsive to determining the change exists between the current privilege of the first process and the initial privilege of the first process that is greater than the predetermined threshold, determining the first process is operating with the current privilege due to an exploit of privilege attack; and
  
  responsive to determining the first process is operating with the current privilege due to an exploit of privilege attack, generating an alert that the first process operating with the current privilege due to the exploit of privilege attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The non-transitory storage medium of claim 1, wherein the first process is running within a virtual machine and a virtual machine monitor performs intercepting of a request by the first process, the comparing of the current privilege of the first process with the initial privilege of the first process performed in response to intercepting the request by the first process, the request being one of a predetermined set of software calls.
  - 3. The non-transitory storage medium of claim 1, wherein the logic being executable by the one or more processors to perform operations further including:
    - intercepting execution of an instruction to write data to a predetermined offset in memory by the first process;
      
      responsive to intercepting the execution of the instruction to write data to the predetermined offset in memory by the first process, comparing the current privilege of the first process with the initial privilege of the first process recorded in the privilege list.
  - 4. The non-transitory storage medium of claim 1, wherein the logic being executable by the one or more processors to perform operations further including:
    - monitoring scheduling of threads by the first process; and
      
      responsive to detecting scheduling of a thread by the first process, comparing the current privilege of the first process with the initial privilege of the first process recorded in the privilege list.
  - 5. The non-transitory storage medium of claim 1, wherein the logic being executable by the one or more processors to perform operations further including:
    - responsive to determining a change exists between the current privilege of the first process and the initial privilege of the first process, generating, by a correlation engine, a score indicating whether the change in the current privilege of the first process and the initial privilege of the first process is due to an exploit of privilege attack.
  - 6. The non-transitory storage medium of claim 1, wherein the initial privilege is recorded in the privilege list at a first time, and the current privilege is determined at a second time, the second time subsequent to the first time.
  - 7. The non-transitory storage medium of claim 1, wherein the first token is an object having a specified structure that stores information describing privileges granted to the first process.
  - 8. The non-transitory storage medium of claim 1, wherein a privilege comprises a privilege level.

9. A system comprising:
- one or more processors; and
  
  a non-transitory storage medium having stored thereon instructions, the instructions being executable by one or more processors to perform operations including;
  
  responsive to detecting creation of a first process, adding data to a privilege list, the data including (i) identification information of the first process and (ii) an initial privilege of the first process, wherein the data added to the privilege list is set forth in a first token associated with the first process, and the first token being associated with the first process in a one-to-one mapping at a time the data is added to the privilege list;
  
  detecting performance of one or more operations and a modification of the first token that is associated with the first process, wherein the modification of the first token alters a current privilege of the first process to be greater than the initial privilege;
  
  responsive to detecting the performance of the one or more operations and the modification of the first token, comparing a current privilege of the first process with the initial privilege of the first process recorded in the privilege list;
  
  determining a change exists between the current privilege of the first process and the initial privilege of the first process that is greater than a predetermined threshold;
  
  responsive to determining the change exists between the current privilege of the first process and the initial privilege of the first process that is greater than the predetermined threshold, determining the first process is operating with the current privilege due to an exploit of privilege attack; and
  
  responsive to determining the first process is operating with the current privilege due to an exploit of privilege attack, generating an alert that the first process operating with the current privilege due to the exploit of privilege attack.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The system of claim 9, wherein the running processes are running within a virtual machine.
  - 11. The system of claim 9, wherein the data added to the privilege list is set forth in the first token associated with the first running process, the first token being associated with the first running process in a first one-to-one mapping at a time the data is added to the privilege list.
  - 12. The system of claim 11, wherein determining the change exists between the current privilege of the first running process and the initial privilege of the first running process is performed by determining whether the first token is associated with the first running process in the first one-to-one mapping at a time of a scanning of a list of all running processes.
  - 13. The system of claim 12, wherein determining whether the first token is associated with the first running process in the first one-to-one mapping at the time of the scanning of the list of all running processes is performed by determining whether a location in memory at which the first token is stored is associated with the first token in a second one-to-one mapping.
  - 14. The system of claim 9, wherein the instructions being executable by the one or more processors to perform operations further including:
    - responsive to determining the first running process is operating with the current privilege due to an exploit of privilege attack, generating an alert that the first running process operating with the current privilege due to the exploit of privilege attack.
  - 15. The system of claim 9, wherein the initial privilege is recorded in the privilege list at a first time, and the current privilege is determined at a second time, the second time subsequent to the first time.
  - 16. The system of claim 9, wherein the first token is an object having a specified structure that stores information describing privileges granted to the first running process.
  - 17. The system of claim 9, wherein a privilege comprises a privilege level.

18. A method for detecting an exploit of privilege attack comprising:
- responsive to detecting creation of a first process, adding data to a privilege list, the data including (i) identification information of the first process and (ii) an initial privilege of the first process, wherein the data added to the privilege list is set forth in a first token associated with the first process, and the first token being associated with the first process in a one-to-one mapping at a time the data is added to the privilege list;
  
  detecting performance of one or more operations and a modification of the first token that is associated with the first process, wherein the modification of the first token alters a current privilege of the first process to be greater than the initial privilege;
  
  responsive to detecting the performance of the one or more operations and the modification of the first token, comparing a current privilege of the first process with the initial privilege of the first process recorded in the privilege list;
  
  determining a change exists between the current privilege of the first process and the initial privilege of the first process that is greater than a predetermined threshold;
  
  responsive to determining the change exists between the current privilege of the first process and the initial privilege of the first process that is greater than the predetermined threshold, determining the first process is operating with the current privilege due to an exploit of privilege attack; and
  
  responsive to determining the first process is operating with the current privilege due to an exploit of privilege attack, generating an alert that the first process operating with the current privilege due to the exploit of privilege attack.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 19. The method of claim 18, wherein the first process is running within a virtual machine and the comparing of the current privilege of the first process with the initial privilege of the first process is performed in response to intercepting a request by the first process, the request being one of a predetermined set of software calls.
  - 20. The method of claim 18 further comprising:
    - intercepting execution of an instruction to write data to a predetermined offset in memory by the first process;
      
      responsive to intercepting execution of the instruction to write data to the predetermined offset in the memory by the first process, comparing the current privilege of the first process with the initial privilege of the first process recorded in the privilege list.
  - 21. The method of claim 18 further comprising:
    - monitoring scheduling of threads by the first process; and
      
      responsive to detecting scheduling of a thread by the first process, comparing the current privilege of the first process with the initial privilege of the first process recorded in the privilege list.
  - 22. The method of claim 18, wherein the data added to the privilege list is set forth in the first token associated with the first process, and first token being associated with the first process in a one-to-one mapping at a time the data is added to the privilege list.
  - 23. The method of claim 18 further comprising:
    - responsive to determining the first process is operating with the current privilege due to an exploit of privilege attack, generating an alert that the first process operating with the current privilege due to the exploit of privilege attack.
  - 24. The method of claim 18 further comprising:
    - responsive to determining a change exists between the current privilege of the first process and the initial privilege of the first process, generating, by a correlation engine, a score indicating whether the change in the current privilege of the first process and the initial privilege of the first process is due to an exploit of privilege attack.
  - 25. The method of claim 18, wherein the initial privilege is recorded in the privilege list at a first time, and the current privilege is determined at a second time, the second time subsequent to the first time.
  - 26. The method of claim 18, wherein the first token is an object having a specified structure that stores information describing privileges granted to the first process.
  - 27. The method of claim 18, wherein a privilege comprises a privilege level.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Vincent, Michael, Vashist, Sai Omkar, Pfoh, Jonas
Primary Examiner(s)
Le, Khoi V

Application Number

US15/197,661
Time in Patent Office

1,329 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/54   by adding security routines...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

G06F 9/468   Specific access rights for ...

G06F 9/4881   Scheduling strategies for d...

Exploit of privilege detection framework

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Exploit of privilege detection framework

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links