Potential Persistence Via DLLPathOverride

calendar Aug 17, 2023 · attack.persistence  ·
Share on: linkedin copy

Detects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process

Sigma rule (View on GitHub)

 1title: Potential Persistence Via DLLPathOverride
 2id: a1b1fd53-9c4a-444c-bae0-34a330fc7aa8
 3status: experimental
 4description: Detects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process
 5references:
 6    - https://persistence-info.github.io/Data/naturallanguage6.html
 7    - https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2022/07/21
10modified: 2023/08/17
11tags:
12    - attack.persistence
13logsource:
14    category: registry_set
15    product: windows
16detection:
17    selection_root:
18        # The path can be for multiple languages
19        # Example:  HKLM\System\CurrentControlSet\Control\ContentIndex\Language\English_UK
20        #           HKLM\System\CurrentControlSet\Control\ContentIndex\Language\English_US
21        #           HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Neutral
22        TargetObject|contains: '\SYSTEM\CurrentControlSet\Control\ContentIndex\Language\'
23    selection_values:
24        TargetObject|contains:
25            - '\StemmerDLLPathOverride'
26            - '\WBDLLPathOverride'
27            - '\StemmerClass'
28            - '\WBreakerClass'
29    condition: all of selection_*
30falsepositives:
31    - Unknown
32level: high

References

  • Natural Language 6 DLLs

    Natural Language 6 DLLs Location: HKLM\System\CurrentControlSet\Control\ContentIndex\Language Classification: Criteria Value Permissions Admin Security context System Persistence type Registry Code...


    Read More

  • Beyond good ol’ Run key, Part 98

    Scanning the Windows files for possible persistence mechanisms I came across a few interesting strings inside the Natural Language Development Platform 6 library (NaturalLanguage6.dll): StemmerDLLP...


    Read More

Related rules

to-top