PRIVILEGE ESCALATION PROTECTION

US 20190311115A1
Filed: 04/30/2018
Published: 10/10/2019
Est. Priority Date: 04/06/2018
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a processor configured to;

monitor a process executed on a computing device;

detect an unauthorized change in a token value associated with the process; and

perform an action based on a policy in response to the unauthorized change in the token value associated with the process; and

a memory coupled to the processor and configured to provide the processor with instructions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for privilege escalation protection are disclosed. In some embodiments, a system/process/computer program product for privilege escalation protection includes monitoring a process executed on a computing device, detecting an unauthorized change in a token value associated with the process, and performing an action based on a policy (e.g., a kernel protection security policy/rule(s), which can include a whitelisted set of processes and/or configured actions/responses to perform for other/non-whitelisted processes) in response to an unauthorized change in the token value associated with the process.

Citations

20 Claims

1. A system, comprising:
- a processor configured to;
  
  monitor a process executed on a computing device;
  
  detect an unauthorized change in a token value associated with the process; and
  
  perform an action based on a policy in response to the unauthorized change in the token value associated with the process; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the processor is further configured to:
    - detect an attempt to change the token value associated with the process to a value that is associated with another process executed on the computing device.
  - 3. The system of claim 1, wherein the processor is further configured to:
    - detect an attempt to change the token value associated with the process to a value that is associated with another process executed on the computing device that has kernel privileges.
  - 4. The system of claim 1, wherein the policy comprises a whitelisted set of processes.
  - 5. The system of claim 1, wherein the processor is further configured to:
    - cache an initial token value associated with the process.
  - 6. The system of claim 1, wherein the processor is further configured to:
    - check for token value changes in response to a trigger event.
  - 7. The system of claim 1, wherein the processor is further configured to:
    - check for token value changes in response to one or more trigger events including a new process creation, a thread creation, a registry operation, and a file operation.
  - 8. The system of claim 1, wherein the processor is further configured to:
    - perform a protection action based on the policy in response to the unauthorized change in the token value associated with the process.
  - 9. The system of claim 1, wherein the processor is further configured to:
    - kill the process based on the policy in response to the unauthorized change in the token value associated with the process.
  - 10. The system of claim 1, wherein the processor is further configured to:
    - generate an alert based on the policy in response to the unauthorized change in the token value associated with the process.

11. A method, comprising:
- monitoring a process executed on a computing device;
  
  detecting an unauthorized change in a token value associated with the process; and
  
  performing an action based on a policy in response to the unauthorized change in the token value associated with the process.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The method of claim 11, further comprising detecting an attempt to change the token value associated with the process to a value that is associated with another process executed on the computing device.
  - 13. The method of claim 11, further comprising detecting an attempt to change the token value associated with the process to a value that is associated with another process executed on the computing device that has kernel privileges.
  - 14. The method of claim 11, wherein the policy comprises a whitelisted set of processes.
  - 15. The method of claim 11, further comprising caching an initial token value associated with the process.
  - 16. The method of claim 11, further comprising checking for token value changes in response to a trigger event.
  - 17. The method of claim 11, further comprising checking for token value changes in response to one or more trigger events including a new process creation, a thread creation, a registry operation, and a file operation.

18. A computer program product, the computer program product being embodied in a tangible computer readable storage medium and comprising computer instructions for:
- monitoring a process executed on a computing device;
  
  detecting an unauthorized change in a token value associated with the process; and
  
  performing an action based on a policy in response to the unauthorized change in the token value associated with the process.
- View Dependent Claims (19, 20)
- - 19. The computer program product recited in claim 18, further comprising computer instructions for detecting an attempt to change the token value associated with the process to a value that is associated with another process executed on the computing device.
  - 20. The computer program product recited in claim 18, further comprising computer instructions for detecting an attempt to change the token value associated with the process to a value that is associated with another process executed on the computing device that has kernel privileges.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Lavi, Yaron, Aharoni, Eldar, Wexler, Elad

Granted Patent

US 10,984,098 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/44   Program or device authentic...

G06F 21/54   by adding security routines...

G06F 21/554   involving event detection a...

G06F 21/57   Certifying or maintaining t...

G06F 21/604   Tools and structures for ma...

G06F 2221/033   Test or assess software

PRIVILEGE ESCALATION PROTECTION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

PRIVILEGE ESCALATION PROTECTION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links