Detection rules › Sigma

Potential Persistence Via DLLPathOverride

Status
test
Severity
high
Author
Nasreddine Bencherchali (Nextron Systems)
Source
github.com/SigmaHQ/sigma

Detects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process

Event coverage

ProviderEventTitle
SysmonEvent ID 13RegistryEvent (Value Set)

Rule body yaml

title: Potential Persistence Via DLLPathOverride
id: a1b1fd53-9c4a-444c-bae0-34a330fc7aa8
status: test
description: Detects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process
references:
    - https://persistence-info.github.io/Data/naturallanguage6.html
    - https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-08-17
tags:
    - attack.persistence
logsource:
    category: registry_set
    product: windows
detection:
    selection_root:
        # The path can be for multiple languages
        # Example:  HKLM\System\CurrentControlSet\Control\ContentIndex\Language\English_UK
        #           HKLM\System\CurrentControlSet\Control\ContentIndex\Language\English_US
        #           HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Neutral
        TargetObject|contains: '\SYSTEM\CurrentControlSet\Control\ContentIndex\Language\'
    selection_values:
        TargetObject|contains:
            - '\StemmerDLLPathOverride'
            - '\WBDLLPathOverride'
            - '\StemmerClass'
            - '\WBreakerClass'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

Stages and Predicates

Stage 0: condition

all of selection_*

Stage 1: selection_root

selection_root:
    # The path can be for multiple languages
    # Example:  HKLM\System\CurrentControlSet\Control\ContentIndex\Language\English_UK
    #           HKLM\System\CurrentControlSet\Control\ContentIndex\Language\English_US
    #           HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Neutral
    TargetObject|contains: '\SYSTEM\CurrentControlSet\Control\ContentIndex\Language\'

Stage 2: selection_values

selection_values:
    TargetObject|contains:
        - '\StemmerDLLPathOverride'
        - '\WBDLLPathOverride'
        - '\StemmerClass'
        - '\WBreakerClass'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
TargetObjectmatch
  • \SYSTEM\CurrentControlSet\Control\ContentIndex\Language\
  • \StemmerClass
  • \StemmerDLLPathOverride
  • \WBDLLPathOverride
  • \WBreakerClass