Detects when an attacker adds a new “DLLPathOverride” value to the “Natural Language” key in order to achieve persistence which will get invoked by “SearchIndexer.exe” process
title: Potential Persistence Via DLLPathOverride
id: a1b1fd53-9c4a-444c-bae0-34a330fc7aa8
status: test
description: Detects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process
references:
- https://persistence-info.github.io/Data/naturallanguage6.html
- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-08-17
tags:
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
selection_root:
# The path can be for multiple languages
# Example: HKLM\System\CurrentControlSet\Control\ContentIndex\Language\English_UK
# HKLM\System\CurrentControlSet\Control\ContentIndex\Language\English_US
# HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Neutral
TargetObject|contains: '\SYSTEM\CurrentControlSet\Control\ContentIndex\Language\'
selection_values:
TargetObject|contains:
- '\StemmerDLLPathOverride'
- '\WBDLLPathOverride'
- '\StemmerClass'
- '\WBreakerClass'
condition: all of selection_*
falsepositives:
- Unknown
level: high
imRegistry
| where RegistryKey endswith "\\SYSTEM\\CurrentControlSet\\Control\\ContentIndex\\Language*" and (RegistryKey contains "\\StemmerDLLPathOverride" or RegistryKey contains "\\WBDLLPathOverride" or RegistryKey contains "\\StemmerClass" or RegistryKey contains "\\WBreakerClass")DeviceRegistryEvents
| where RegistryKey endswith "\\SYSTEM\\CurrentControlSet\\Control\\ContentIndex\\Language*" and (RegistryKey contains "\\StemmerDLLPathOverride" or RegistryKey contains "\\WBDLLPathOverride" or RegistryKey contains "\\StemmerClass" or RegistryKey contains "\\WBreakerClass")| Sentinel Table | Notes |
|---|---|
imRegistry | Ensure this data connector is enabled |