{“lastseen”:”2025-10-06T08:05:11″,”description”:”\\n\\n## Introduction\\n\\nOur colleagues from the AI expertise center recently developed a machine-learning model that detects DLL-hijacking attacks. We then integrated this model into the Kaspersky Unified Monitoring and Analysis Platform SIEM system. In a separate article, our colleagues shared how the model had been created and what success they had achieved in lab environments. Here, we focus on how it operates within Kaspersky SIEM, the preparation steps taken before its release, and some real-world incidents it has already helped us uncover.\\n\\n## How the model works in Kaspersky SIEM\\n\\nThe model’s operation generally boils down to a step-by-step check of all DLL libraries loaded by processes in the system, followed by validation in the Kaspersky Security Network (KSN) cloud. This approach allows local attributes (path, process name, and file hashes) to be combined with a global knowledge base and behavioral indicators, which significantly improves detection quality and reduces the probability of false positives.\\n\\nThe model can run in one of two modes: on a correlator or on a collector. A correlator is a SIEM component that performs event analysis and correlation based on predefined rules or algorithms. If detection is configured on a correlator, the model checks events that have already triggered a rule. This reduces the volume of KSN queries and the model’s response time.\\n\\nThis is how it looks:\\n\\n\\n\\nA collector is a software or hardware component of a SIEM platform that collects and normalizes events from various sources, and then delivers these events to the platform’s core. If detection is configured on a collector, the model processes all events associated with various processes loading libraries, provided these events meet the following conditions:\\n\\n * The path to the process file is known.\\n * The path to the library is known.\\n * The hashes of the file and the library are available.\\n\\n\\n\\nThis method consumes more resources, and the model’s response takes longer than it does on a correlator. However, it can be useful for retrospective threat hunting because it allows you to check all events logged by Kaspersky SIEM. The model’s workflow on a collector looks like this:\\n\\n\\n\\nIt is important to note that the model is not limited to a binary \\”malicious\/non-malicious\\” assessment; it ranks its responses by confidence level. This allows it to be used as a flexible tool in SOC practice. Examples of possible verdicts:\\n\\n * 0: data is being processed.\\n * 1: maliciousness not confirmed. This means the model currently does not consider the library malicious.\\n * 2: suspicious library.\\n * 3: maliciousness confirmed.\\n\\n\\n\\nA Kaspersky SIEM rule for detecting DLL hijacking would look like this:\\n \\n \\n N.KL_AI_DLLHijackingCheckResult \\u003e 1\\n\\nEmbedding the model into the Kaspersky SIEM correlator automates the process of finding DLL-hijacking attacks, making it possible to detect them at scale without having to manually analyze hundreds or thousands of loaded libraries. Furthermore, when combined with correlation rules and telemetry sources, the model can be used not just as a standalone module but as part of a comprehensive defense against infrastructure attacks.\\n\\n## Incidents detected during the pilot testing of the model in the MDR service\\n\\nBefore being released, the model (as part of the Kaspersky SIEM platform) was tested in the MDR service, where it was trained to identify attacks on large datasets supplied by our telemetry. This step was necessary to ensure that detection works not only in lab settings but also in real client infrastructures.\\n\\nDuring the pilot testing, we verified the model’s resilience to false positives and its ability to correctly classify behavior even in non-typical DLL-loading scenarios. As a result, several real-world incidents were successfully detected where attackers used one type of DLL hijacking \u2014 the DLL Sideloading technique \u2014 to gain persistence and execute their code in the system.\\n\\nLet us take a closer look at the three most interesting of these.\\n\\n### Incident 1. ToddyCat trying to launch Cobalt Strike disguised as a system library\\n\\nIn one incident, the attackers successfully leveraged the vulnerability CVE-2021-27076 to exploit a SharePoint service that used IIS as a web server. They ran the following command:\\n \\n \\n c:\\\\windows\\\\system32\\\\inetsrv\\\\w3wp.exe -ap \\”SharePoint – 80\\” -v \\”v4.0\\” -l \\”webengine4.dll\\” -a \\\\\\\\.\\\\pipe\\\\iisipmd32ded38-e45b-423f-804d-34471928538b -h \\”C:\\\\inetpub\\\\temp\\\\apppools\\\\SharePoint – 80\\\\SharePoint – 80.config\\” -w \\”\\” -m 0\\n\\nAfter the exploitation, the IIS process created files that were later used to run malicious code via the DLL sideloading technique (T1574.001 Hijack Execution Flow: DLL):\\n \\n \\n C:\\\\ProgramData\\\\SystemSettings.exe\\n C:\\\\ProgramData\\\\SystemSettings.dll\\n\\nSystemSettings.dll is the name of a library associated with the Windows Settings application (SystemSettings.exe). The original library contains code and data that the Settings application uses to manage and configure various system parameters. However, the library created by the attackers has malicious functionality and is only pretending to be a system library.\\n\\nLater, to establish persistence in the system and launch a DLL sideloading attack, a scheduled task was created, disguised as a Microsoft Edge browser update. It launches a SystemSettings.exe file, which is located in the same directory as the malicious library:\\n \\n \\n Schtasks \/create \/ru \\”SYSTEM\\” \/tn \\”\\\\Microsoft\\\\Windows\\\\Edge\\\\Edgeupdates\\” \/sc DAILY \/tr \\”C:\\\\ProgramData\\\\SystemSettings.exe\\” \/F\\n\\nThe task is set to run daily.\\n\\nWhen the SystemSettings.exe process is launched, it loads the malicious DLL. As this happened, the process and library data were sent to our model for analysis and detection of a potential attack.\\n\\n\\n\\nExample of a SystemSettings.dll load event with a DLL Hijacking module verdict in Kaspersky SIEM\\n\\nThe resulting data helped our analysts highlight a suspicious DLL and analyze it in detail. The library was found to be a Cobalt Strike implant. After loading it, the SystemSettings.exe process attempted to connect to the attackers’ command-and-control server.\\n \\n \\n DNS query: connect-microsoft[.]com\\n DNS query type: AAAA\\n DNS response: ::ffff:8.219.1[.]155;\\n 8.219.1[.]155:8443\\n\\nAfter establishing a connection, the attackers began host reconnaissance to gather various data to develop their attack.\\n \\n \\n C:\\\\ProgramData\\\\SystemSettings.exe\\n whoami \/priv\\n hostname\\n reg query HKLM\\\\SOFTWARE\\\\Microsoft\\\\Cryptography \/v MachineGuid\\n powershell -c $psversiontable\\n dotnet –version\\n systeminfo\\n reg query \\”HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\VMware, Inc.\\\\VMware Drivers\\”\\n cmdkey \/list\\n REG query \\”HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\” \/v PortNumber\\n reg query \\”HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Terminal Server Client\\\\Servers\\n netsh wlan show profiles\\n netsh wlan show interfaces\\n set\\n net localgroup administrators\\n net user\\n net user administrator\\n ipconfig \/all\\n net config workstation\\n net view\\n arp -a\\n route print\\n netstat -ano\\n tasklist\\n schtasks \/query \/fo LIST \/v\\n net start\\n net share\\n net use\\n netsh firewall show config\\n netsh firewall show state\\n net view \/domain\\n net time \/domain\\n net group \\”domain admins\\” \/domain\\n net localgroup administrators \/domain\\n net group \\”domain controllers\\” \/domain\\n net accounts \/domain\\n nltest \/ domain_trusts\\n reg query HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\n reg query HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\n reg query HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\n reg query HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\n reg query HKEY_CURRENT_USER\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\n\\nBased on the attackers’ TTPs, such as loading Cobalt Strike as a DLL, using the DLL sideloading technique (1, 2), and exploiting SharePoint, we can say with a high degree of confidence that the ToddyCat APT group was behind the attack. Thanks to the prompt response of our model, we were able to respond in time and block this activity, preventing the attackers from causing damage to the organization.\\n\\n### Incident 2. Infostealer masquerading as a policy manager\\n\\nAnother example was discovered by the model after a client was connected to MDR monitoring: a legitimate system file located in an application folder attempted to load a suspicious library that was stored next to it.\\n \\n \\n C:\\\\Program Files\\\\Chiniks\\\\SettingSyncHost.exe\\n C:\\\\Program Files\\\\Chiniks\\\\policymanager.dll E83F331BD1EC115524EBFF7043795BBE\\n\\nThe SettingSyncHost.exe file is a system host process for synchronizing settings between one user’s different devices. Its 32-bit and 64-bit versions are usually located in C:\\\\Windows\\\\System32\\\\ and C:\\\\Windows\\\\SysWOW64\\\\, respectively. In this incident, the file location differed from the normal one.\\n\\n\\n\\nExample of a policymanager.dll load event with a DLL Hijacking module verdict in Kaspersky SIEM\\n\\nAnalysis of the library file loaded by this process showed that it was malware designed to steal information from browsers.\\n\\n\\n\\nGraph of policymanager.dll activity in a sandbox\\n\\nThe file directly accesses browser files that contain user data.\\n \\n \\n C:\\\\Users\\\\\\u003cuser\\u003e\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Local State\\n\\nThe library file is on the list of files used for DLL hijacking, as published in the HijackLibs project. The project contains a list of common processes and libraries employed in DLL-hijacking attacks, which can be used to detect these attacks.\\n\\n### Incident 3. Malicious loader posing as a security solution\\n\\nAnother incident discovered by our model occurred when a user connected a removable USB drive:\\n\\n\\n\\nExample of a Kaspersky SIEM event where a wsc.dll library was loaded from a USB drive, with a DLL Hijacking module verdict\\n\\nThe connected drive’s directory contained hidden folders with an identically named shortcut for each of them. The shortcuts had icons typically used for folders. Since file extensions were not shown by default on the drive, the user might have mistaken the shortcut for a folder and launched it. In turn, the shortcut opened the corresponding hidden folder and ran an executable file using the following command:\\n \\n \\n \\”%comspec%\\” \/q \/c \\”RECYCLER.BIN\\\\1\\\\CEFHelper.exe [$DIGITS] [$DIGITS]\\”\\n\\nCEFHelper.exe is a legitimate Avast Antivirus executable that, through DLL sideloading, loaded the wsc.dll library, which is a malicious loader.\\n\\n\\n\\nCode snippet from the malicious file\\n\\nThe loader opens a file named AvastAuth.dat, which contains an encrypted backdoor. The library reads the data from the file into memory, decrypts it, and executes it. After this, the backdoor attempts to connect to a remote command-and-control server.\\n\\nThe library file, which contains the malicious loader, is on the list of known libraries used for DLL sideloading, as presented on the HijackLibs project website.\\n\\n## Conclusion\\n\\nIntegrating the model into the product provided the means of early and accurate detection of DLL-hijacking attempts which previously might have gone unnoticed. Even during the pilot testing, the model proved its effectiveness by identifying several incidents using this technique. Going forward, its accuracy will only increase as data accumulates and algorithms are updated in KSN, making this mechanism a reliable element of proactive protection for corporate systems.\\n\\n## IoC\\n\\n**Legitimate files used for DLL hijacking \\n**E0E092D4EFC15F25FD9C0923C52C33D6 loads SystemSettings.dll \\n09CD396C8F4B4989A83ED7A1F33F5503 loads policymanager.dll \\nA72036F635CECF0DCB1E9C6F49A8FA5B loads wsc.dll\\n\\n**Malicious files** \\nEA2882B05F8C11A285426F90859F23C6 SystemSettings.dll \\nE83F331BD1EC115524EBFF7043795BBE policymanager.dll \\n831252E7FA9BD6FA174715647EBCE516 wsc.dll\\n\\n**Paths** \\nC:\\\\ProgramData\\\\SystemSettings.exe \\nC:\\\\ProgramData\\\\SystemSettings.dll \\nC:\\\\Program Files\\\\Chiniks\\\\SettingSyncHost.exe \\nC:\\\\Program Files\\\\Chiniks\\\\policymanager.dll \\nD:\\\\RECYCLER.BIN\\\\1\\\\CEFHelper.exe \\nD:\\\\RECYCLER.BIN\\\\1\\\\wsc.dll”,”published”:”2025-10-06T08:00:08″,”modified”:”2025-10-06T08:00:08″,”type”:”securelist”,”title”:”Detecting DLL hijacking with machine learning: real-world cases”,”source”:””,”references”:””,”id”:”SECURELIST:5B4709532D95E89B68B809F8518EC0C1″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[“CVE-2021-27076″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:8.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/securelist.com\/detecting-dll-hijacking-with-machine-learning-in-kaspersky-siem\/117567\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-10-06T08:05:11″,”description”:”\\n\\n## Introduction\\n\\nOur colleagues from the AI expertise center recently developed a machine-learning model that detects DLL-hijacking attacks. We then integrated this model into the Kaspersky…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,41,12,15,13,136,7,11,5],"class_list":["post-20327","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-cvss-88","tag-exploit","tag-high","tag-news","tag-securelist","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n