Kaspersky’s AI center developed a machine learning model to detect DLL hijacking attacks and integrated it into the Kaspersky SIEM platform. The model analyzes DLL libraries loaded by processes and validates them against the Kaspersky Security Network cloud, combining local attributes with a global behavioral database to improve accuracy and reduce false positives. It operates either on a correlator, analyzing filtered events to reduce load and response time, or on a collector, processing all relevant events for comprehensive retrospective threat hunting.
The model provides graded confidence levels from benign to confirmed malicious, allowing flexible SOC responses. During pilot testing in Kaspersky’s MDR service, the model successfully detected real-world incidents where attackers employed DLL sideloading techniques to gain persistence and execute malicious code. Three notable cases included an attack by the ToddyCat APT group exploiting a SharePoint vulnerability to load a Cobalt Strike implant, a browser info-stealing malware disguised as a policy manager DLL, and a malicious loader triggered via a USB device using DLL sideloading to execute a backdoor.
These incidents highlight the risk of DLL hijacking as a stealthy attack vector and demonstrate the model’s effectiveness in early, accurate detection within real customer environments. Continuous updating of algorithms and data will enhance detection capabilities, making this a powerful tool in proactive corporate system defense against DLL hijacking attacks.
👉 Pročitaj original: Kaspersky Securelist
