Potential Persistence Via DLLPathOverride

Detects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process

Sigma rule (View on GitHub)

 1title: Potential Persistence Via DLLPathOverride
 2id: a1b1fd53-9c4a-444c-bae0-34a330fc7aa8
 3status: test
 4description: Detects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process
 5references:
 6    - https://persistence-info.github.io/Data/naturallanguage6.html
 7    - https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2022-07-21
10modified: 2023-08-17
11tags:
12    - attack.persistence
13logsource:
14    category: registry_set
15    product: windows
16detection:
17    selection_root:
18        # The path can be for multiple languages
19        # Example:  HKLM\System\CurrentControlSet\Control\ContentIndex\Language\English_UK
20        #           HKLM\System\CurrentControlSet\Control\ContentIndex\Language\English_US
21        #           HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Neutral
22        TargetObject|contains: '\SYSTEM\CurrentControlSet\Control\ContentIndex\Language\'
23    selection_values:
24        TargetObject|contains:
25            - '\StemmerDLLPathOverride'
26            - '\WBDLLPathOverride'
27            - '\StemmerClass'
28            - '\WBreakerClass'
29    condition: all of selection_*
30falsepositives:
31    - Unknown
32level: high

References

Related rules

to-top