Microsoft Corporation
Attack detection through exposure of command abuse

Abstract:

Cybersecurity enhancements expose likely cyberattacks and command abuse while reducing false positives. Some embodiments ascertain an operating system mismatch, which occurs when a command tailored for operating system X is asserted in an environment tailored to operating system Y. False positives may be reduced by alerting on such a mismatch only when a command's process belongs to a web server or other targeted process, or uses the same supporting technology (e.g., framework, scripting language, or runtime environment) as the web server or other targeted process. Some embodiments watch for command abuse by spotting assertions of commands that appear frequently in cyberattacks even though those commands also have legitimate uses such as system administration, network administration, or software development.