Method and mechanism for detection of pass-the-hash attacks
US11916953B2 · kind B2 · utility
Assignee
Inventor
Key dates
| Filing date | Sep 23, 2019 |
| Grant date | Feb 27, 2024 |
| Priority date | — |
| Expiry date | Dec 28, 2042 |
Classification
- Technology area (CPC H)Electricity
- CPC primaryH04L63/1441
- WIPO fieldDigital communication
- WIPO sectorElectrical engineering
Abstract
A method of generating a baseline of expected behavior on a single machine or endpoint to accurately fingerprint the native behavior of the NTLM protocol on that particular endpoint in a network. By limiting the scope of a baseline to a single endpoint, the scope of the baseline can consist of expected behavior (including supported hash functions, version strings and various feature flags). Deviations from these behaviors are considered evidence of a redundant implementation of NTLM utilized by an attacker and thus as evidence of an attempted PTH attack. Using this method it is possible to accurately detect PTH attacks originating from all publicly known non-standard implementations of NTLM existing in tools such as Impacket, Metasploit, and Invoke-TheHash.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.