US 12,438,906 B2
Detecting KERBEROS ticket attacks within a domain
Jason Crabtree, Vienna, VA (US); and Andrew Sellers, Monument, CO (US)
Assigned to QOMPLX LLC, Reston, VA (US)
Filed by QOMPLX LLC, Reston, VA (US)
Filed on Apr. 18, 2024, as Appl. No. 18/639,954.
Application 18/639,954 is a continuation of application No. 18/489,003, filed on Oct. 18, 2023, granted, now 11,968,227.
Application 18/489,003 is a continuation of application No. 17/973,520, filed on Oct. 25, 2022, granted, now 11,799,900, issued on Oct. 24, 2023.
Application 17/170,288 is a continuation in part of application No. 17/169,924, filed on Feb. 8, 2021, granted, now 11,570,209, issued on Jan. 31, 2023.
Application 17/973,520 is a continuation of application No. 17/170,288, filed on Feb. 8, 2021, granted, now 11,570,204, issued on Jan. 31, 2023.
Application 17/169,924 is a continuation in part of application No. 15/837,845, filed on Dec. 11, 2017, granted, now 11,005,824, issued on May 11, 2021.
Application 15/837,845 is a continuation in part of application No. 15/825,350, filed on Nov. 29, 2017, granted, now 10,594,714, issued on Mar. 17, 2020.
Application 15/825,350 is a continuation in part of application No. 15/725,274, filed on Oct. 4, 2017, granted, now 10,609,079, issued on Mar. 31, 2020.
Application 15/725,274 is a continuation in part of application No. 15/655,113, filed on Jul. 20, 2017, granted, now 10,735,456, issued on Aug. 4, 2020.
Application 15/655,113 is a continuation in part of application No. 15/616,427, filed on Jun. 7, 2017, abandoned.
Application 15/655,113 is a continuation in part of application No. 15/237,625, filed on Aug. 15, 2016, granted, now 10,248,910, issued on Apr. 2, 2019.
Application 15/616,427 is a continuation in part of application No. 15/206,195, filed on Jul. 8, 2016, abandoned.
Application 15/206,195 is a continuation in part of application No. 15/186,453, filed on Jun. 18, 2016, abandoned.
Application 15/186,453 is a continuation in part of application No. 15/166,158, filed on May 26, 2016, abandoned.
Application 15/166,158 is a continuation in part of application No. 15/141,752, filed on Apr. 28, 2016, granted, now 10,860,962, issued on Dec. 8, 2020.
Application 15/141,752 is a continuation in part of application No. 15/091,563, filed on Apr. 5, 2016, granted, now 10,204,147, issued on Feb. 12, 2019.
Application 15/141,752 is a continuation in part of application No. 14/986,536, filed on Dec. 31, 2015, granted, now 10,210,255, issued on Feb. 19, 2019.
Application 15/141,752 is a continuation in part of application No. 14/925,974, filed on Oct. 28, 2015, abandoned.
Application 15/616,427 is a continuation in part of application No. 14/925,974, filed on Oct. 28, 2015, abandoned.
Claims priority of provisional application 62/596,105, filed on Dec. 7, 2017.
Prior Publication US 2024/0267402 A1, Aug. 8, 2024
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 9/40 (2022.01); G06F 16/2458 (2019.01)
CPC H04L 63/1441 (2013.01) [G06F 16/2474 (2019.01); H04L 63/123 (2013.01); H04L 63/20 (2013.01)] 12 Claims
OG exemplary drawing
 
1. A system for detecting and mitigating ticket-based attacks within a domain, comprising:
a computing system comprising a memory and a processor;
an authentication object inspector comprising a first plurality of programming instructions stored in the memory which, when operating on the processor, causes the computing system to:
receive network traffic via a first network connection, the network traffic comprising at least a plurality of first authentication objects known to be generated by an identity provider associated with an authentication domain;
store a record of each received first authentication object, with attached metadata comprising a timestamp of when each first authentication object was received, in a time-series database;
compute a unique identifier of each first authentication object;
store the unique identifier of each first authentication object in a database of unique identifiers for the identity provider;
receive a request for access to a network resource within the authentication domain accompanied by a second authentication object;
compute a unique identifier of the second authentication object;
determine if the second unique identifier exists in the database of unique identifiers for the authentication provider; and
where the unique identifier of the second authentication object does not exist in the database of unique identifiers:
analyze a plurality of the stored first authentication objects to determine a plurality of compromised accounts;
generate an incident report comprising results of the analyses of the plurality of stored first authentication objects and the plurality of stored network traffic records; and
transmit the incident report via a second network connection that is not connected to, or visible to, to the identity provider;
wherein each unique identifier is a cryptographic hash generated by performing a plurality calculations and transformations on the respective authentication object.