Abstract: Privilege escalation monitoring may include initiating a learning mode, recording application attributes of one or more applications on a host system to an application repository, recording process attributes of one or more running processes on the host system to an access repository, recording API calls of the one or more running processes on the host system to an API repository, terminating the learning mode, initializing a protecting mode, identifying running processes on the host system based on records in the application repository, determining whether the identified running processes have system access violations based on the application repository, determining whether the identified running processes have file permission escalations based on the access repository, determining whether the identified running processes have failed privileged API calls based on the API repository, generating an alert and terminating an offending process corresponding to the determinations.

Abstract: A system and methodology for preventing extraction of an authentication credential from a memory in a computer. The system and methodology include identifying a memory area used by a native process, monitoring the memory area for any access of the memory area by a process, detecting when data is being read from the memory area, detecting an amount of data being read from the memory area, comparing the amount of data being read from the memory area to a data amount threshold value, and blocking access to the memory area or terminating said process when the amount of data being read from the memory area reaches or exceeds the data amount threshold. The native process can include a Windows® operating system lsass.exe process.

Abstract: A cybersecurity solution for preventing malware from infecting a computing device or a computer resource on the computing device. The solution can include detecting a computer resource process running or attempting to run on an operating system and comparing details of the computer resource process against an authorized processes database containing details of previously run computer resources processes to determine if the computer resource process is running or attempting to run for a first time on the operating system.

Abstract: A system and method detecting and prevent unauthorized access to a computer. The method is configured to control access to the computer. The computer operates in a learning mode including listing, in a whitelist in a memory of the computer, an executable application in the computer, and operating the computer in a protected mode. During operation of the computer in the protected mode, the method detects a first application in the computer, wherein the first application is transferred from a first external resource operatively connected to the computer, suspend execution of the first application, determine whether the first application is in the whitelist, and if the first application is in the whitelist, allowing the first application to be executed, thereby controlling the access of the first application to the computer. The system implements the method using a monitoring sub-system in the computer.

Abstract: Systems and methods to detect malicious software include an application software repository including a stored header file associated with a driver, an executable, or both, and are operable to (i) receive a memory dump file upon an operating system crash including a driver copy, an executable copy, or both, (ii) verify the memory dump file is new for analysis, (iii) compress the verified memory dump file to generate a memory snapshot of the verified memory dump file, (iv) scan the memory snapshot for a memory dump header file associated with the driver copy, the executable copy, or both, and (v) identify and extract malicious software when the memory dump header file from the memory snapshot fails to match at least one stored header file in the application software repository.

Abstract: Privilege escalation monitoring may include initiating a learning mode, recording application attributes of one or more applications on a host system to an application repository, recording process attributes of one or more running processes on the host system to an access repository, recording API calls of the one or more running processes on the host system to an API repository, terminating the learning mode, initializing a protecting mode, identifying running processes on the host system based on records in the application repository, determining whether the identified running processes have system access violations based on the application repository, determining whether the identified running processes have file permission escalations based on the access repository, determining whether the identified running processes have failed privileged API calls based on the API repository, generating an alert and terminating an offending process corresponding to the determinations.

Abstract: A cybersecurity solution that includes a system, method, or computer program for detecting and remediating malicious code in a communicating device on a computer network that connects to the Internet through a proxy server. The solution includes an operating system arranged to monitor all computing resource (CR) processes on an operating system kernel on the communicating device, determine process parameters for each CR process, determine whether each CR process is a connecting CR process by determining whether it is connecting to the proxy server, compare at least one of the process parameters for each connecting CR process with a whitelist, generate an event notification when at least one process parameter for a connecting CR process does not match the whitelist, and remediate the connecting CR process that has the at least one process parameter.

Abstract: Systems and methods to detect malicious software include an application software repository including a stored header file associated with a driver, an executable, or both, and are operable to (i) receive a memory dump file upon an operating system crash including a driver copy, an executable copy, or both, (ii) verify the memory dump file is new for analysis, (iii) compress the verified memory dump file to generate a memory snapshot of the verified memory dump file, (iv) scan the memory snapshot for a memory dump header file associated with the driver copy, the executable copy, or both, and (v) identify and extract malicious software when the memory dump header file from the memory snapshot fails to match at least one stored header file in the application software repository.

Abstract: A system and methodology for preventing extraction of an authentication credential from a memory in a computer. The system and methodology include identifying a memory area used by a native process, monitoring the memory area for any access of the memory area by a process, detecting when data is being read from the memory area, detecting an amount of data being read from the memory area, comparing the amount of data being read from the memory area to a data amount threshold value, and blocking access to the memory area or terminating said process when the amount of data being read from the memory area reaches or exceeds the data amount threshold. The native process can include a Windows® operating system lsass.exe process.

Abstract: A cybersecurity solution for preventing malware from infecting a computing device or a computer resource on the computing device. The solution can include detecting a computer resource process running or attempting to run on an operating system and comparing details of the computer resource process against an authorized processes database containing details of previously run computer resources processes to determine if the computer resource process is running or attempting to run for a first time on the operating system.

Abstract: A cybersecurity solution that includes a system, method, or computer program for detecting and remediating malicious code in a communicating device on a computer network that connects to the Internet through a proxy server. The solution includes an operating system arranged to monitor all computing resource (CR) processes on an operating system kernel on the communicating device, determine process parameters for each CR process, determine whether each CR process is a connecting CR process by determining whether it is connecting to the proxy server, compare at least one of the process parameters for each connecting CR process with a whitelist, generate an event notification when at least one process parameter for a connecting CR process does not match the whitelist, and remediate the connecting CR process that has the at least one process parameter.

Abstract: A method for analyzing an attachment of an electronic mail (e-mail) transmitted from an external network may include intercepting the e-mail comprising the attachment intended for a recipient. The method may include analyzing the attachment for encryption to identify an encrypted attachment. The method may include determining whether the encrypted attachment has been received previously by the recipient by comparing a hash corresponding to the encrypted attachment against a plurality of hashes stored in an attachment repository. The method may include attempting to open the encrypted attachment using a password from a password repository comprising a plurality of known passwords. The method may include extracting the encrypted attachment from the e-mail upon failing to open the encrypted attachment using the plurality of known passwords. The method may include redirecting the recipient to an interface configured to prompt the recipient for a new password that is associated with the encrypted attachment.