Abstract: A computing device can receive a notification that a process has interacted with the operating system to perform a predetermined operation on the at least one computing device. In response to the notification, the computing device can capture a current access token from the process. The computing device can perform a comparison of the current access token captured from the process against a stored access token. The computing device can determine that an escalation of privilege attack has occurred based on the comparison of the current access token captured from the process against the stored access token.

Abstract: A computer device, including at least a processor and a memory, can be configured to control process components on a computer device. An agent can intercept a request to instantiate a new process component. The request can originate on the computing device from an instance of a particular process component amongst a set of process components. The agent can determine whether to permit the intercepted request by validating the relationship using a policy with rules as well as and determining a trusted owner is among the set of identified owners. The agent can permit the intercepted if the determination is to permit the intercepted request.

Abstract: A computing device can capture a current access token of a user process. The computing device can perform a determination of whether the current access token for the user process differs from a particular access token of a parent process of the user process. The computing device can detect whether the user process has been subject to an escalation of privilege attack based on the determination of whether the current access token for the user process differs from the particular access token. The computing device can performing a mitigation action with respect to the user process in response to detecting that the user process has been subject to the escalation of privilege attack.

Abstract: A computer device, including at least a processor and a memory, can be configured to control process components on a computer device. An agent can intercept a request to instantiate a new process component. The request can originate on the computing device from an instance of a particular process component amongst a set of process components. The agent can determine whether to permit the intercepted request by validating the relationship using a policy with rules as well as and determining a trusted owner is among the set of identified owners. The agent can permit the intercepted if the determination is to permit the intercepted request.

Abstract: A computer device, including at least a processor and a memory, can be configured to control process components on a computer device. An agent can intercept a request to instantiate a new process component in a user account of a logged-in user. The request can originate on the computing device from an instance of a particular process component amongst a set of process components. The user account can be assigned default user privileges by a privilege access management service. The agent can determine whether to permit the intercepted request. The agent can permit the intercepted request if the relationship is validated and if a trusted owner is identified amongst the set of identified owners.

Abstract: A computing device can capture a current access token of a user process. The computing device can perform a determination of whether the current access token for the user process differs from a particular access token of a parent process of the user process. The computing device can detect whether the user process has been subject to an escalation of privilege attack based on the determination of whether the current access token for the user process differs from the particular access token. The computing device can performing a mitigation action with respect to the user process in response to detecting that the user process has been subject to the escalation of privilege attack.

Abstract: A computing device can receive a first notification that a process has started on the at least one computing device. The computing device can record a first access token associated with the process into the token cache. The computing device can receive a second notification that the process has interacted with the operating system to perform at least one of a set of predetermined operations on the at least one computing device. The computing device can capture a second access token from the process. The computing device can perform a comparison of the second access token captured from the process against the first access token recorded into the token cache. The computing device can determine that an escalation of privilege attack has occurred based on the comparison.

Abstract: A computing device can receive a first notification that a process has started on the at least one computing device. The computing device can record a first access token associated with the process into the token cache. The computing device can receive a second notification that the process has interacted with the operating system to perform at least one of a set of predetermined operations on the at least one computing device. The computing device can capture a second access token from the process. The computing device can perform a comparison of the second access token captured from the process against the first access token recorded into the token cache. The computing device can determine that an escalation of privilege attack has occurred based on the comparison.

Abstract: A server device for managing privilege delegation to control execution of commands thereon is described. Execution of a command, according to first privileges, by a remote management (RM) server on the server device is requested from a RM client on a client device. An agent plug-in, chained to a command execution plug-in of the RM server, intercepts the request and forwards related information to an agent service cooperating with an operating system of the server device. The agent service determines whether to execute the command according to second privileges, different from the first privileges and if permitted, delegates the second privileges to the command, and causes, via the agent plug-in chained to the command execution plug-in, the command to be executed according to the second privileges.

Abstract: A server device for managing privilege delegation to control execution of commands thereon is described. Execution of a command, according to first privileges, by a remote management (RM) server on the server device is requested from a RM client on a client device. An agent plug-in, chained to a command execution plug-in of the RM server, intercepts the request and forwards related information to an agent service cooperating with an operating system of the server device. The agent service determines whether to execute the command according to second privileges, different from the first privileges and if permitted, delegates the second privileges to the command, and causes, via the agent plug-in chained to the command execution plug-in, the command to be executed according to the second privileges.

Abstract: A computer device has a kernel driver in a kernel mode of the operating system which records an access token as initially associated with a user process. Later, the user process presents its access token when requesting certain operations through the operating system. The kernel driver detects that the user process has been subject to an escalation of privilege attack by evaluating the access token in its presented form as against the initially recorded access token and, in response, performs a mitigation action such as suspending the user process.

Abstract: A computer device, including at least a processor and a memory, can be configured to control process components on a computer device. An agent can intercept a request to instantiate a new process component in a user account of a logged-in user. The request can originate on the computing device from an instance of a particular process component amongst a set of process components. The user account can be assigned default user privileges by a privilege access management service. The agent can determine whether to permit the intercepted request. The agent can permit the intercepted request if the relationship is validated and if a trusted owner is identified amongst the set of identified owners.

Abstract: There is described a computer device, including at least a processor and a memory, configured to control process components on the computer device, the computer device comprising: an operating system, a privilege access management service cooperating with the operating system and an agent; wherein the agent is configured to: intercept a request to instantiate a new process component in a user account of a logged-in user, wherein the request originates from an instance of a particular process component amongst a set of process components and wherein the user account has assigned thereto default user privileges by the privilege access management service; determine whether to permit the intercepted request including by: validating a relationship between the new process component and the particular process component; and establishing a set of identified owners by identifying owners of the new process component, the particular process and any parents thereof; permit the intercepted request if the relationship is v

Abstract: A computer device has a kernel driver in a kernel mode of the operating system which records an access token as initially associated with a user process. Later, the user process presents its access token when requesting certain operations through the operating system. The kernel driver detects that the user process has been subject to an escalation of privilege attack by evaluating the access token in its presented form as against the initially recorded access token and, in response, performs a mitigation action such as suspending the user process.

Abstract: A server device for managing privilege delegation to control execution of commands thereon is described. Execution of a command, according to first privileges, by a remote management (RM) server on the server device is requested from a RM client on a client device. An agent plug-in, chained to a command execution plug-in of the RM server, intercepts the request and forwards related information to an agent service cooperating with an operating system of the server device. The agent service determines whether to execute the command according to second privileges, different from the first privileges and if permitted, delegates the second privileges to the command, and causes, via the agent plug-in chained to the command execution plug-in, the command to be executed according to the second privileges.

Abstract: There is described a computer device 100, including at least a processor and a memory, configured to control process components on the computer device 100, the computer device 100 comprising: an operating system 102, a privilege access management service 103 cooperating with the operating system 102 and an agent 700; wherein the agent 700 is configured to: intercept a request to instantiate a new process component 120B in a user account 110 of a logged-in user, wherein the request originates from an instance of a particular process component 120A amongst a set of process components 120 and wherein the user account 110 has assigned thereto default user privileges by the privilege access management service 103; determine whether to permit the intercepted request including by: validating a relationship between the new process component 120B and the particular process component 120A; and establishing a set of identified owners by identifying owners of the new process component 120B, the particular process compone