sigmaDRL-1.1from SigmaHQ/sigma
Potential Persistence Via DLLPathOverride
Detects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process
Quality
82
FP risk
—
Forks
0
Views
0
Rule sourcerules/windows/registry/registry_set/registry_set_persistence_natural_language.yml
title: Potential Persistence Via DLLPathOverride
id: a1b1fd53-9c4a-444c-bae0-34a330fc7aa8
status: test
description: Detects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process
references:
- https://persistence-info.github.io/Data/naturallanguage6.html
- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-08-17
tags:
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
selection_root:
# The path can be for multiple languages
# Example: HKLM\System\CurrentControlSet\Control\ContentIndex\Language\English_UK
# HKLM\System\CurrentControlSet\Control\ContentIndex\Language\English_US
# HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Neutral
TargetObject|contains: '\SYSTEM\CurrentControlSet\Control\ContentIndex\Language\'
selection_values:
TargetObject|contains:
- '\StemmerDLLPathOverride'
- '\WBDLLPathOverride'
- '\StemmerClass'
- '\WBreakerClass'
condition: all of selection_*
falsepositives:
- Unknown
level: high