{"id":13884,"date":"2025-10-15T23:18:58","date_gmt":"2025-10-15T20:18:58","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=13884"},"modified":"2025-10-15T23:18:58","modified_gmt":"2025-10-15T20:18:58","slug":"dll-hijacking-in-kaspersky-siem","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/dll-hijacking-in-kaspersky-siem\/13884\/","title":{"rendered":"DLL y\u00f6nlendirme sald\u0131r\u0131s\u0131n\u0131 tespit etme"},"content":{"rendered":"

G\u00fcvenlik \u00e7\u00f6z\u00fcmleri taraf\u0131ndan tespit edilmekten ka\u00e7\u0131nmak i\u00e7in siber su\u00e7lular, k\u00f6t\u00fc ama\u00e7l\u0131 faaliyetlerini gizleyen \u00e7e\u015fitli teknikler kullan\u0131rlar. Son y\u0131llarda Windows sistemlerine y\u00f6nelik sald\u0131r\u0131larda giderek daha s\u0131k g\u00f6r\u00fclen y\u00f6ntemlerden biri, dinamik ba\u011flant\u0131 kitapl\u0131klar\u0131n (DLL\u2019ler) k\u00f6t\u00fc ama\u00e7l\u0131 kitapl\u0131klarla de\u011fi\u015ftirildi\u011fi DLL y\u00f6nlendirme sald\u0131r\u0131s\u0131d\u0131r<\/a>. Ve geleneksel g\u00fcvenlik ara\u00e7lar\u0131 genellikle bu tekni\u011fin kullan\u0131m\u0131n\u0131 alg\u0131lamaz. Bu sorunu \u00e7\u00f6zmek i\u00e7in, Kaspersky yapay zeka Teknoloji Ara\u015ft\u0131rma Merkezi\u2019ndeki meslekta\u015flar\u0131m\u0131z, DLL y\u00f6nlendirme sald\u0131r\u0131s\u0131n\u0131 y\u00fcksek do\u011frulukla tespit edebilen bir makine \u00f6\u011frenimi modeli geli\u015ftirdiler. Bu model, SIEM sistemimizin en son s\u00fcr\u00fcm\u00fc olan Kaspersky Unified Monitoring and Analysis Platform<\/a> \u00fczerinde halihaz\u0131rda uygulanmaktad\u0131r. Bu yaz\u0131da, DLL y\u00f6nlendirme sald\u0131r\u0131s\u0131n\u0131 tespit etmenin zorluklar\u0131n\u0131 ve teknolojimizin bu zorluklar\u0131 nas\u0131l a\u015ft\u0131\u011f\u0131n\u0131 a\u00e7\u0131kl\u0131yoruz.<\/p>\n

DLL y\u00f6nlendirme sald\u0131r\u0131s\u0131 nas\u0131l \u00e7al\u0131\u015f\u0131r ve tespit edilmesi neden zordur?<\/h2>\n

Windows ortam\u0131nda bilinmeyen bir dosyan\u0131n aniden ba\u015flat\u0131lmas\u0131, ka\u00e7\u0131n\u0131lmaz olarak g\u00fcvenlik ara\u00e7lar\u0131n\u0131n dikkatini \u00e7eker veya basit\u00e7e engellenir. Esasen, DLL y\u00f6nlendirme sald\u0131r\u0131s\u0131, k\u00f6t\u00fc ama\u00e7l\u0131 bir dosyay\u0131 bilinen ve g\u00fcvenilir bir dosya gibi g\u00f6sterme giri\u015fimidir. DLL y\u00f6nlendirme sald\u0131r\u0131s\u0131n\u0131n birka\u00e7 \u00e7e\u015fidi vard\u0131r. Birincisi, sald\u0131rganlar\u0131n me\u015fru yaz\u0131l\u0131mla birlikte k\u00f6t\u00fc ama\u00e7l\u0131 bir kitapl\u0131k da\u011f\u0131tmas\u0131 (DLL yan y\u00fckleme<\/a>) ve yaz\u0131l\u0131m\u0131n bunu \u00e7al\u0131\u015ft\u0131rmas\u0131d\u0131r. \u0130kincisi, bilgisayarda \u00f6nceden y\u00fcklenmi\u015f programlar taraf\u0131ndan \u00e7a\u011fr\u0131lan standart DLL\u2019leri de\u011fi\u015ftirmeleridir. \u00dc\u00e7\u00fcnc\u00fcs\u00fc ise, bir i\u015flemin y\u00fckledi\u011fi ve \u00e7al\u0131\u015ft\u0131rd\u0131\u011f\u0131 kitapl\u0131\u011f\u0131n konumunu belirleyen sistem mekanizmalar\u0131n\u0131 manip\u00fcle etmeleridir. Sonu\u00e7 olarak, k\u00f6t\u00fc ama\u00e7l\u0131 DLL dosyas\u0131 kendi adres alan\u0131 i\u00e7inde ve kendi ayr\u0131cal\u0131klar\u0131yla me\u015fru bir i\u015flem taraf\u0131ndan ba\u015flat\u0131l\u0131r; dolay\u0131s\u0131yla ola\u011fan u\u00e7 nokta koruma sistemleri bu etkinli\u011fi me\u015fru olarak g\u00f6r\u00fcr. Bu nedenle uzmanlar\u0131m\u0131z, bu tehdide kar\u015f\u0131 yapay zeka teknolojilerini kullanmaya karar verdiler.<\/p>\n

ML ile DLL y\u00f6nlendirme sald\u0131r\u0131s\u0131n\u0131 tespit etme<\/h2>\n

Yapay Zeka Teknoloji Ara\u015ft\u0131rma Merkezi uzmanlar\u0131, k\u00fct\u00fcphane ve onu \u00e7a\u011f\u0131ran s\u00fcre\u00e7 hakk\u0131nda dolayl\u0131 bilgilere dayal\u0131 olarak DLL y\u00f6nlendirme sald\u0131r\u0131s\u0131n\u0131 tespit etmek i\u00e7in bir ML modeli e\u011fitti. K\u00fct\u00fcphaneyi manip\u00fcle etme giri\u015fiminin; y\u00fcr\u00fct\u00fclebilir dosya ve k\u00fct\u00fcphanenin standart yollarda bulunup bulunmad\u0131\u011f\u0131, dosyan\u0131n yeniden adland\u0131r\u0131l\u0131p adland\u0131r\u0131lmad\u0131\u011f\u0131, k\u00fct\u00fcphanenin boyutu ve yap\u0131s\u0131n\u0131n de\u011fi\u015fip de\u011fi\u015fmedi\u011fi, dijital imzan\u0131n bozulup bozulmad\u0131\u011f\u0131 vb. temel g\u00f6stergelerini belirlediler. Ba\u015flang\u0131\u00e7ta, modeli dinamik ba\u011flant\u0131 kitapl\u0131klar\u0131n\u0131n y\u00fcklenmesiyle ilgili veriler \u00fczerinde e\u011fittiler. Bu veriler, hem dahili otomatik analiz sistemlerinden hem de kullan\u0131c\u0131lar\u0131m\u0131z taraf\u0131ndan g\u00f6n\u00fcll\u00fc olarak sa\u011flanan Kaspersky Security Network (KSN)<\/a> telemetrisinden elde edildi. Etiketleme i\u00e7in uzmanlar\u0131m\u0131z, dosya itibar veri tabanlar\u0131m\u0131zdaki verileri kulland\u0131lar.<\/p>\n

\u0130lk model olduk\u00e7a hatal\u0131yd\u0131, bu nedenle \u00e7\u00f6z\u00fcm\u00fcm\u00fcze eklemeden \u00f6nce uzmanlar\u0131m\u0131z, e\u011fitim veri setinin etiketlemesini ve DLL y\u00f6nlendirme sald\u0131r\u0131s\u0131n\u0131 g\u00f6steren \u00f6zellikleri iyile\u015ftirerek bir\u00e7ok deneme yapt\u0131. Sonu\u00e7 olarak, model art\u0131k bu tekni\u011fi y\u00fcksek do\u011frulukla alg\u0131lamaktad\u0131r. Meslekta\u015flar\u0131m\u0131z Securelist\u2019te; ilk hipotezden ba\u015flayarak, Kaspersky Managed Detection and Response<\/a>\u2018da yap\u0131lan testlere ve son olarak SIEM platformumuzda pratik uygulamaya kadar, bu teknolojinin nas\u0131l geli\u015ftirildi\u011fine dair ayr\u0131nt\u0131l\u0131 bir makale<\/a> yay\u0131nlad\u0131lar.<\/p>\n

Kaspersky SIEM\u2019de DLL y\u00f6nlendirme sald\u0131r\u0131s\u0131 tespiti<\/h2>\n

SIEM sisteminde, model y\u00fcklenen DLL\u2019lerin meta verilerini ve bunlar\u0131n telemetri taraf\u0131ndan \u00e7a\u011fr\u0131ld\u0131\u011f\u0131 i\u015flemleri analiz eder, \u015f\u00fcpheli durumlar\u0131 i\u015faretler ve ard\u0131ndan karar\u0131n\u0131 KSN bulut verileriyle kar\u015f\u0131la\u015ft\u0131r\u0131r. Bu, DLL y\u00f6nlendirme sald\u0131r\u0131s\u0131 alg\u0131lamas\u0131n\u0131n do\u011frulu\u011funu art\u0131rmakla kalmaz, ayn\u0131 zamanda hatal\u0131 pozitifleri de azalt\u0131r. Model, hem korelasyon alt sisteminde hem de olay toplama alt sisteminde \u00e7al\u0131\u015fabilir.<\/p>\n

\u0130lk durumda, yaln\u0131zca korelasyon kurallar\u0131n\u0131 tetiklemi\u015f olaylar\u0131 kontrol eder. Bu, daha hassas bir tehdit de\u011ferlendirmesi ve gerekti\u011finde daha h\u0131zl\u0131 uyar\u0131 olu\u015fturulmas\u0131n\u0131 sa\u011flar. T\u00fcm olaylar kontrol edilmedi\u011finden, bulut sorgular\u0131n\u0131n hacmi modelin yan\u0131t h\u0131z\u0131n\u0131 \u00f6nemli \u00f6l\u00e7\u00fcde etkilemez.<\/p>\n

\u0130kinci durumda, model belirli ko\u015fullar\u0131 kar\u015f\u0131layan t\u00fcm kitapl\u0131k y\u00fckleme olaylar\u0131n\u0131 i\u015fler. Bu y\u00f6ntem daha fazla kaynak t\u00fcketir, ancak geriye d\u00f6n\u00fck tehdit avc\u0131l\u0131\u011f\u0131 i\u00e7in \u00e7ok de\u011ferlidir.<\/p>\n

Securelist blogunun ba\u015fka bir yaz\u0131s\u0131nda, Anti-Malware Research grubundan meslekta\u015flar\u0131m\u0131z, DLL y\u00f6nlendirme sald\u0131r\u0131s\u0131 tespit modelinin Kaspersky SIEM\u2019in hedefli sald\u0131r\u0131lar\u0131 yakalamas\u0131na nas\u0131l yard\u0131mc\u0131 oldu\u011funu, erken olay tespiti ile ilgili ger\u00e7ek \u00f6rnekler vererek ayr\u0131nt\u0131l\u0131 olarak anlatt\u0131lar<\/a>.<\/p>\n

En \u00f6nemlisi, tehditler ve me\u015fru s\u00fcre\u00e7ler hakk\u0131nda daha fazla veri biriktik\u00e7e ve KSN algoritmalar\u0131 geli\u015ftik\u00e7e modelin do\u011frulu\u011fu da artmaya devam edecektir.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

Uzmanlar\u0131m\u0131z, DLL y\u00f6nlendirme sald\u0131r\u0131s\u0131n\u0131 tespit etmek i\u00e7in bir ML modeli e\u011fitti ve bunu Kaspersky SIEM sistemine entegre etti.<\/p>\n","protected":false},"author":2706,"featured_media":13885,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1726,1194,995,1285],"tags":[2381,2813,2443,1936,2760],"class_list":{"0":"post-13884","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-enterprise","8":"category-business","9":"category-technology","10":"category-products","11":"tag-amr","12":"tag-dll","13":"tag-ml","14":"tag-siem","15":"tag-yapay-zeka-teknolojisi-arastirmalari"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/dll-hijacking-in-kaspersky-siem\/13884\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/dll-hijacking-in-kaspersky-siem\/29705\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/dll-hijacking-in-kaspersky-siem\/24776\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/dll-hijacking-in-kaspersky-siem\/12866\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/dll-hijacking-in-kaspersky-siem\/29593\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/dll-hijacking-in-kaspersky-siem\/28642\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/dll-hijacking-in-kaspersky-siem\/31527\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/dll-hijacking-in-kaspersky-siem\/30185\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/dll-hijacking-in-kaspersky-siem\/40637\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/dll-hijacking-in-kaspersky-siem\/54534\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/dll-hijacking-in-kaspersky-siem\/23281\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/dll-hijacking-in-kaspersky-siem\/32802\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/dll-hijacking-in-kaspersky-siem\/29807\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/dll-hijacking-in-kaspersky-siem\/35536\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/dll-hijacking-in-kaspersky-siem\/35160\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/siem\/","name":"siem"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/13884","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/2706"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=13884"}],"version-history":[{"count":5,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/13884\/revisions"}],"predecessor-version":[{"id":13887,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/13884\/revisions\/13887"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/13885"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=13884"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=13884"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=13884"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}