	US 11,720,669 B1
	Interactive shell event detection
Brandon M. Edwards, Brooklyn, NY (US)
Assigned to Capsule8, Inc., New York, NY (US)
Filed by Capsule8, Inc., New York, NY (US)
Filed on Jun. 15, 2021, as Appl. No. 17/348,671.
Application 17/348,671 is a continuation of application No. 16/698,920, filed on Nov. 27, 2019, granted, now 11,080,395.
Claims priority of provisional application 62/773,892, filed on Nov. 30, 2018.
Claims priority of provisional application 62/825,737, filed on Mar. 28, 2019.
Int. Cl. G06F 21/55 (2013.01); G06F 11/36 (2006.01)

CPC G06F 21/554 (2013.01) [G06F 11/3636 (2013.01)]

20 Claims

1. A system, comprising:

a first processor; and

a memory coupled to the first processor, the memory storing instructions that configure the first processor to:

receive telemetry denoting that a program has been invoked on a node via a process;

determine that the invoked program is a shell based at least on a program path and name information associated with the process;

subsequent to determining that the invoked program is a shell, receive additional information including timing information associated with commands entered into the shell;

based at least in part on the received additional information, determine that the program is an interactive shell interactively operated by a user;

in response to determining that the program is an interactive shell, configure the node to tag one or more commands entered into the interactive shell for storage and query with a tag identifying the one or more commands as interactive shell commands associated with the program; and

manage a security policy for the node based on the tagged interactive shell commands.