DLL Sideloading Detection Engine Sidewatch

The Sidewatch engine detects attacks using DLL Sideloading techniques.

DLL Sideloading is a technique frequently used for advanced attacks and cybercrime. It involves using a legitimate executable to load a malicious library.

Attackers take advantage of the executable vulnerabilities and the fact that they are considered as reliable or signed, and therefore less monitored, to execute malicious payloads without being detected by cybersecurity tools.

The malicious payload may be embedded in a legitimate DLL, and may be encrypted, compressed, or obfuscated to evade detection.

To prevent this, the Sidewatch engine observes the behavior and activity of .dll files.

Legitimate executables and .dll files are extremely numerous, and maintaining a list of blocking rules that would cover all possible cases is borderline impossible.

This manual approach also would not allow teams to deal with threats effectively, given the constant evolution of possible combinations between executables and .dll files.

To ensure effective protection against DLL Sideloading, the Sidewatch engine relies on the analysis of activities related to libraries and correlates them to detect suspicious events: activity preceding the loading of a library, writing, signature, author, folder location, content, etc.

Through this behavioral analysis, potential threats – even unknown ones – are identified and blocked.