Research project title
Integrated Threat Hunting: Automated Detection of DLL Sideloading and Command & Control Indicators
Education level
Master (research-based)
Director/co-director
Director: Omar Abdul Wahab
End of display
March 31, 2026
Areas of expertise
Unit(s) and department(s)
Department of Computer Engineering and Software Engineering
Conditions
Project duration: 2 years
The project is industrial and requires interaction with the industrial partner.
Experience (or strong knowledge) in defensive cybersecurity required.
To apply, send your CV and transcript to omar.abdul-wahab@polymtl.ca
Detailed description
Cyberattacks involve disrupting/compromising computer systems to impose some malicious impact (e.g. stealing confidential information, disrupting normal operation, espionage). The use of malware for this purpose is widespread as it allows attackers to facilitate numerous stages of a cyberattack (e.g., privilege escalation, persistence, exfiltrating data of interest).
There are multiple avenues that allow the detection and blocking of malware operations. File-based and memory-based detections allow to detect and block malware whenever it’s written to or accessed from disk or memory respectively. However, such detections can fail with malicious implants from unknown malware families. In the case where an implant is not originally detected on disk or in memory, additional lines of defense exist, including behavioral detections and network-based detections.
DLL Sideloading is a technique that is frequently used by threat actors to load malicious DLLs from a legitimate (and sometimes signed) executable from a trusted vendor by deploying the malicious DLL alongside the legitimate executable. Automatically generating indicators to track malicious DLL ready to be side loaded by legitimate executables could help detect the use of this technique using behavioral detections and block malware as its loading stage. Regarding network-based detection, automatic identification and extraction of Command and Control (C&C) server addresses from malware samples allows to quickly block malware communication. These addresses are crucial for understanding and monitoring botnet activities. Automating this extraction process enables to enhance detection and mitigation efforts against these malware families, ensuring that their activities can be effectively blocked.
This research proposal aims at tackling both DLL Sideloading detection and automatic C&C address extraction to improve malware detections at crucial stages of its deployment using both behavioral and network-based detection capabilities. This research will also contribute to improving threat hunting capabilities and our understanding of malicious campaigns.
Financing possibility
Full funding available
