| CPC H04L 63/1425 (2013.01) [H04L 63/0807 (2013.01); H04L 63/0823 (2013.01); H04L 63/1416 (2013.01); H04L 63/1441 (2013.01)] | 20 Claims |
|
1. A computer-implemented method for preventing credential passing attacks, the computer-implemented method comprising:
receiving, by a computer system, an input;
determining, by a credential passing mitigation module, whether the input is a credential access command, wherein the determination of whether the input is a credential access command comprises searching for occurrences of references to executables related to adding, reading, copying, or performing actions with respect to a credential in a user session;
if the input is determined to be a credential access command, performing, by an anomaly detection module, anomaly detection corresponding to the credential access command, wherein performing the anomaly detection comprises:
evaluating whether a user is a valid domain user to which the credential belong;
evaluating whether an elapsed time of the credential is greater than a maximum lifetime of the credential; and
evaluating whether a privilege attribute certificate of the credential is valid;
determining that an anomaly exists if:
(i) a console command was generated by an invalid domain user;
(ii) an elapsed time of the credential is greater than a maximum lifetime for the credential; or
(iii) the privilege attribute certificate of the credential is invalid; and
if an anomaly is determined to exist, performing mitigation of the anomaly,
wherein the computer system comprises a processor and memory.
|