Configuring DLL Hijacking detection

DLL Hijacking is an attack technique that involves delivering vulnerable legitimate software along with a malicious dynamic link library (DLL) to the target system. When the vulnerable software is launched, it does not verify the legitimacy of the dynamic library and loads it by file name. As a result, malicious code is executed in the context of legitimate software. A DLL Hijacking attack is difficult to detect because the software being launched is legitimate. To detect such attacks, the AI module is used. The AI module analyzes the launch and runtime parameters of applications and identifies suspicious launches of legitimate software with malicious libraries.

To get a status, KUMA sends a request to KSN. The request contains information from the event fields that is needed for analysis. In response to a request, KSN sends one of the following analysis results:

• 0 – Unclassified. To get a status, you need to re-send the request. You can configure the re-sending of requests using the Perform a repeat request setting.
• 1 – Unknown. The library is not considered malicious at the time when the status is received.
• 2 – Suspicious. Getting such a result creates an alert if you have the corresponding correlation rule configured.
• 3 – Malware. Getting such a result creates an alert if you have the corresponding correlation rule configured. The Malware status represents a higher-likelihood detection of DLL Hijacking than the Suspicious status.

The result is written to the KL_AI_DLLHijackingCheckResult field of the event as a numerical value and a text comment.

DLL Hijacking attacks are detected at the event enrichment stage. This is achieved using the check DLL Hijacking enrichment type. You can embed an enrichment of this type in the collector or the correlator. We recommend embedding this type of enrichment in the correlator. In this way, the load on the KSN service is significantly lower than when checking events in the collector.

To use an enrichment of the check DLL Hijacking type, your license must include the AI module. The General administrator must also accept the additional KSN Statement in the Kaspersky Security Network section (Settings → Integrations → AI services → Kaspersky Security Network). If your instance of KUMA has multiple General administrators, it is sufficient for one of them to accept the KSN Statement.

Detecting DLL Hijacking attacks using event enrichment in the correlator

To configure DLL Hijacking attack detection using event enrichment in the correlator:

1. In the application web interface, select Resources → Correlators.
2. Start creating a correlator or open the settings of an existing correlator.
3. Add an enrichment of the check DLL Hijacking type.

   When configuring the enrichment, you need to specify a list of fields corresponding to the parameters that are needed to create a KSN request. Make sure the fields you specify are populated as part of normalization in the collector.

   Also, in the correlation rule, specify the fields that you specified when adding the enrichment (see step 3 of the instructions). The fields must be listed in the Propagated fields setting if you created a correlation rule of the simple type, or in the Identical fields setting if you created a correlation rule of the standard type.

4. In the enrichment settings, in the list under Filter parameters, select the following filter: [OOTB] Events for DLLHijacking enrichment. Filter for correlator. If this filter is missing from the list, import it from the repository. You can also configure the filter on your own.
5. If you want to configure the application to generate an alert when it gets a Suspicious or Malware status, create a correlation rule that does that. When creating the correlation rule, select the simple or standard type and on the Selector tab, specify two conditions in the filter parameters:

   KL_AI_DLLHijackingCheckResult = 2 OR KL_AI_DLLHijackingCheckResult = 3

DLL Hijacking attack detection is configured. If you have created a correlation rule, an alert is generated when a Suspicious or Malicious verdict is received.

Detecting DLL Hijacking attacks using event enrichment in the collector

We do not recommend using the DLL Hijacking enrichment in the collector. This increases the load on the KSN service. Instead, add an enrichment of this type to the correlator.

To configure DLL Hijacking attack detection using event enrichment in the collector:

1. In the application web interface, select Resources → Collectors.
2. Start creating a collector or open the settings of an existing collector.
3. Add an enrichment of the check DLL Hijacking type.

   When configuring the enrichment, you need to specify a list of fields corresponding to the parameters that are needed to create a KSN request. Make sure the fields you specify are populated as part of normalization in the collector.

4. In the enrichment settings, in the list under Filter parameters, select the following filter: [OOTB] Events for DLLHijacking enrichment. Filter for collector. If this filter is missing from the list, import it from the repository. You can also configure the filter on your own.
5. If you want to configure the application to generate an alert when it gets a Suspicious or Malware status, create a correlation rule that does that. When creating the correlation rule, select the simple or standard type and on the Selector tab, specify two conditions in the filter parameters:

   KL_AI_DLLHijackingCheckResult = 2 OR KL_AI_DLLHijackingCheckResult = 3

DLL Hijacking attack detection is configured. If you have created a correlation rule, an alert is generated when a Suspicious or Malicious status is received.

Page top