AI-Powered Defense Against DLL Hijacking

Kaspersky has developed and integrated a new machine learning model into its Unified Monitoring and Analysis Platform (SIEM) to specifically combat DLL hijacking attacks. The model operates by systematically checking all DLL libraries loaded by system processes and validating them against the global Kaspersky Security Network (KSN). This approach combines local file attributes with a vast knowledge base to improve detection accuracy and minimize false positives. The model can be deployed in two modes: on a correlator for real-time analysis of triggered events, or on a collector for more resource-intensive retrospective threat hunting across all logged events.

Real-World Incidents Uncovered

During pilot testing within Kaspersky’s MDR service, the model proved its real-world effectiveness by identifying several sophisticated attacks that used the DLL sideloading technique. One notable incident involved the ToddyCat APT group exploiting a SharePoint vulnerability to deploy a malicious SystemSettings.dll. The attackers achieved persistence using a scheduled task that launched a legitimate executable to load their Cobalt Strike implant.

In another case, the model flagged a legitimate SettingSyncHost.exe file located in a non-standard directory loading a malicious policymanager.dll. This library was identified as an information-stealer designed to harvest data from web browsers. A third incident originated from a USB drive, where a user was tricked into running a shortcut. This action launched a legitimate Avast Antivirus executable, CEFHelper.exe, which then sideloaded a malicious wsc.dll that functioned as a loader for a backdoor. These successful detections demonstrate the model’s capability to proactively identify and block stealthy threats that might otherwise go unnoticed.

Source: https://securelist.com/detecting-dll-hijacking-with-machine-learning-in-kaspersky-siem/117567/