Configuring DLL Hijacking detection

DLL Hijacking is an attack technique that involves delivering vulnerable legitimate software along with a malicious dynamic link library (DLL) to the target system. When the vulnerable software is launched, it does not verify the legitimacy of the dynamic library and loads it by file name. As a result, malicious code is executed in the context of legitimate software. A DLL Hijacking attack is difficult to detect because the software being launched is legitimate. To detect such attacks, KUMA uses the AI module. The AI module analyzes the launch and runtime parameters of applications and identifies suspicious launches of legitimate software with malicious libraries.

To get a verdict, KUMA sends a request to KSN. The request contains information from the event fields that is needed for analysis. In response to a request, KSN sends one of the following analysis results:

• 0 – Unclassified. To get a result, you need to re-send the request. You can configure the re-sending of requests using the Perform a repeat request setting.
• 1 – Unknown.
• 2 – Suspicious. Getting such a result creates an alert if you have the corresponding correlation rule configured.
• 3 – Malware. Getting such a result creates an alert if you have the corresponding correlation rule configured. The Malware verdict represents a higher-likelihood detection of DLL Hijacking than the Suspicious verdict.

The result is written to the KL_DLLSideLoadingResult field of the event as a numeric value.

DLL Hijacking attacks are detected at the event enrichment stage. This is achieved using the check DLL Hijacking enrichment type. You can embed an enrichment of this type in the collector or the correlator. We recommend embedding this type of enrichment in the correlator. In this way, the load on the KSN service is significantly lower than when checking events in the collector.

To use an enrichment of the check DLL Hijacking type, your license must include the AI module. The General administrator must also accept the additional KSN license agreement in the Kaspersky Security Network section (Settings → Integrations → AI services → Kaspersky Security Network).

Detecting DLL Hijacking attacks using event enrichment in the correlator

To configure DLL Hijacking attack detection using event enrichment in the correlator:

1. In the application web interface, select Resources → Correlators.
2. Start creating a correlator or open the settings of an existing correlator.
3. Add an enrichment of the check DLL Hijacking type.

   When configuring the enrichment, you need to specify a list of fields corresponding to the parameters that are needed to create a KSN request. Make sure the fields you specify are populated as part of normalization in the collector.

4. In the enrichment settings, in the list under Filter parameters, select the following filter: [OOTB] Events for DLLHijacking enrichment. Filter for correlator. If this filter is missing from the list, import it from the repository. You can also configure the filter on your own.
5. If you want to configure the application to generate an alert when it gets a Suspicious or Malware verdict, create a correlation rule that does that. When creating the correlation rule, select the simple type and on the Selector tab, specify two conditions in the filter parameters:

   KL_DLLSideLoadingResult = 2 OR KL_DLLSideLoadingResult = 3

Detecting DLL Hijacking attacks using event enrichment in the collector

We do not recommend using the DLL Hijacking enrichment in the collector. This increases the load on the KSN service. Instead, add an enrichment of this type to the correlator.

To configure DLL Hijacking attack detection using event enrichment in the collector:

1. In the application web interface, select Resources → Collectors.
2. Start creating a collector or open the settings of an existing collector.
3. Add an enrichment of the check DLL Hijacking type.

   When configuring the enrichment, you need to specify a list of fields corresponding to the parameters that are needed to create a KSN request. Make sure the fields you specify are populated as part of normalization in the collector.

4. In the enrichment settings, in the list under Filter parameters, select the following filter: [OOTB] Events for DLLHijacking enrichment. Filter for collector. If this filter is missing from the list, import it from the repository. You can also configure the filter on your own.
5. If you want to configure the application to generate an alert when it gets a Suspicious or Malware verdict, create a correlation rule that does that. When creating the correlation rule, select the simple type and on the Selector tab, specify two conditions in the filter parameters:

   KL_DLLSideLoadingResult = 2 OR KL_DLLSideLoadingResult = 3

Page top