Abstract: The techniques disclosed herein identify ransomware attacks as they are occurring, improving the security and functionality of computer systems. Ransomware attacks are identified using a new probabilistic machine learning model that better handles the unique properties of ransomware data. Ransomware data includes a list of computing operations, some of which are labeled as being associated with ransomware attacks. In contrast to deterministic machine learning techniques that learn weights, probabilistic machine learning techniques learn the parameters of a distribution function. In some configurations, a radial Spike and Slab distribution function is used within a Bayesian neural network framework to better handle sparse, missing, and imbalanced data. Once trained, the machine learning model may be provided with real-time operations, e.g., from a cloud service security module, from which to infer whether a ransomware attack is taking place.

Abstract: A target system is verified against one or more security threats. A selection of a threat type for an attack vector for verifying defensive capabilities of a target system is received via a user interface. A selection of one or more selectable parameters for delivery of the threat type to the target system is received via the user interface. In response to selection of the threat type and the selected parameters, a base binary executable and a library comprising functions for generating attack vectors is accessed. One or more functions from the library are added to the base binary executable based on the selected threat type and the selected parameters. A payload is generated that implements the selected threat type and the selected parameters in a delivery format based on the selected parameters.

Abstract: A system for detecting directory reconnaissance in a directory service includes a sensor and a directory reconnaissance detector, each of which is executing on one or more computing devices. The sensor determines whether a query that is submitted to a directory server is a suspicious query and, if the query is determined to be a suspicious query, transmits the suspicious query to the directory reconnaissance detector. The director reconnaissance detector includes a receiver, a context obtainer, an alert determiner and an alert transmitter. The receiver receives the suspicious query from the sensor and the context obtainer obtains context information associated with the suspicious query. The alert determiner determines whether a security alert should be generated based at least on the suspicious query and the context information. The alert transmitter generates the security alert responsive to a determination that the security alert should be generated.

Abstract: Cybersecurity is enhanced to detect credential spray attacks. Accounts with access failure events are divided into buckets B1 . . . BN based on access failure count ranges R1 . . . RN. For instance, accounts with one logon failure may go in B1, accounts with two failures in B2, etc. Buckets will thus have account involvement extents E1 . . . EN, which are compared to thresholds T1 . . . TN. An intrusion detection tool generates an alert when some Ei hits its Ti. Detection may spot any credential sprays, not merely password sprays. False positives may be reduced by excluding items from consideration, such as logon attempts using old passwords. False positives and false negatives may be balanced by tuning threshold parameters. Breached accounts may be found. Detection may also permit other responses, such as attack disruption, harm mitigation, and attacker identification. Credential spray attack detection may be combined with other security mechanisms for defense in depth of cloud and other network accounts.

Abstract: Embodiments are directed to monitoring local users' activity without installing an agent on a monitored machine. Periodic scans of the local users' directory using the standard protocol messages and APIs of a remote admin interface provide access to local machine data. Using the remote admin interface, defenders gain visibility to local users' logons, group membership, password changes, and other parameters. Security applications enabled by this visibility include, but are not limited to, abnormal logons detection, abnormal group addition and removal detection, and abnormal password changes detection.

Abstract: A system for detecting directory reconnaissance in a directory service includes a sensor and a directory reconnaissance detector, each of which is executing on one or more computing devices. The sensor determines whether a query that is submitted to a directory server is a suspicious query and, if the query is determined to be a suspicious query, transmits the suspicious query to the directory reconnaissance detector. The director reconnaissance detector includes a receiver, a context obtainer, an alert determiner and an alert transmitter. The receiver receives the suspicious query from the sensor and the context obtainer obtains context information associated with the suspicious query. The alert determiner determines whether a security alert should be generated based at least on the suspicious query and the context information. The alert transmitter generates the security alert responsive to a determination that the security alert should be generated.

Abstract: Cybersecurity is enhanced to detect credential spray attacks. Accounts with access failure events are divided into buckets B1 . . . BN based on access failure count ranges R1 . . . RN. For instance, accounts with one logon failure may go in B1, accounts with two failures in B2, etc. Buckets will thus have account involvement extents E1 . . . EN, which are compared to thresholds T1 . . . TN. An intrusion detection tool generates an alert when some Ei hits its Ti. Detection may spot any credential sprays, not merely password sprays. False positives may be reduced by excluding items from consideration, such as logon attempts using old passwords. False positives and false negatives may be balanced by tuning threshold parameters. Breached accounts may be found. Detection may also permit other responses, such as attack disruption, harm mitigation, and attacker identification. Credential spray attack detection may be combined with other security mechanisms for defense in depth of cloud and other network accounts.

Abstract: The network logon protocol used in a pass-through authentication request embedded in an encrypted network packet is identified. A protocol detection engine correlates events and network requests received at a domain controller in order to use the data contained in a correlated pair to determine a size of a challenge response in the encrypted network packet. The size of the response is used to identify the network logon protocol used in the pass-through authentication request.

Abstract: The network logon protocol used in a pass-through authentication request embedded in an encrypted network packet is identified. A protocol detection engine correlates events and network requests received at a domain controller in order to use the data contained in a correlated pair to determine a size of a challenge response in the encrypted network packet. The size of the response is used to identify the network logon protocol used in the pass-through authentication request.