Invention Title:

DECEIVING ATTACKERS ACCESSING ACTIVE DIRECTORY DATA

Publication number:

US20250260721

Publication date:

2025-08-14

Section:

Electricity

Class:

H04L63/1491

Inventors:

Venu Vissamsetty 🇺🇸 San Jose, CA, United States

Anil Gupta 🇮🇳 Bangalore, India

Harinath Vishwanath Ramchetty 🇮🇳 Bangalore, India

Assignee:

SentinelOne, Inc. 🇺🇸 Mountain View, CA, United States

Applicant:

SentinelOne, Inc. 🇺🇸 Mountain View, CA, United States

Smart overview of the Invention

The system introduces a sensor module deployed across network endpoints to intercept commands and verify their source against a list of sanctioned applications provided by a management server. If the source of a command is not sanctioned, write or delete commands are ignored and receive simulated acknowledgments, while read commands return deception data. This approach helps protect certain data by ensuring that unauthorized sources receive misleading information or no response at all.

Functionality

Verification of command sources is achieved through evaluation of certificates, hashes, or paths. The system alters responses from active directory servers, redirecting them to decoy servers if the request does not originate from a sanctioned application. This method effectively thwarts attackers attempting lateral movement within compromised networks by providing false data and preventing unauthorized data manipulation.

Background

Attackers often exploit compromised endpoints to gather data and move laterally within networks. The disclosed system addresses this vulnerability by intercepting and modifying unauthorized access attempts, thereby enhancing protection for application data on endpoint systems. This proactive defense mechanism significantly reduces the risk of data breaches and lateral attacks.

Implementation

The invention can be realized as hardware, software, or a combination thereof, and may exist as an apparatus, method, or computer program product. It utilizes computer-readable media for storing program code that can execute on various computing devices. The code may be written in multiple programming languages and executed locally or remotely over networks like LAN or WAN.

Applications

The described methods are applicable in diverse network environments comprising multiple domains interconnected over the Internet. Endpoints within these domains execute the sensor module to safeguard production data while performing legitimate tasks. This setup ensures that endpoints are not solely decoys but function as regular computing devices, maintaining normal operations while securing sensitive information from unauthorized access.