Natural Language 6 DLLs Persistence

Theory

The Natural Language Development Platform 6 (NaturalLanguage6.dll) Persistence technique leverages registry keys associated with the Natural Language Development Platform 6 library to achieve code execution by loading a malicious DLL.

By modifying the registry values StemmerDLLPathOverride or WBDLLPathOverride under the relevant keys, an attacker can specify the path to a custom DLL. When SearchIndexer.exe, a built-in Windows service responsible for indexing files, initializes, it calls LoadLibrary to load the DLL specified in these registry values.

Trigger Condition:

This persistence mechanism is triggered whenever SearchIndexer.exe starts or restarts, which typically occurs:

At system startup
When the Windows Search service (WSearch) is restarted
Periodically, depending on system activity and indexing behavior

Since SearchIndexer.exe runs with SYSTEM privileges, this technique can provide high-privileged code execution, making it a stealthy and effective persistence method.

Practice

You can force SearchIndexer.exe to load some DLLs specified in this registry:

HKLM\System\CurrentControlSet\Control\ContentIndex\Language\<some language>\StemmerDLLPathOverride
HKLM\System\CurrentControlSet\Control\ContentIndex\Language\<some language>\WBDLLPathOverride

# StemmerDLLPathOverride
reg add "HKLM\System\CurrentControlSet\Control\ContentIndex\Language\English_US" /v StemmerDLLPathOverride /t REG_SZ /d "C:\Users\root\evil.dll"

# WBDLLPathOverride
reg add "HKLM\System\CurrentControlSet\Control\ContentIndex\Language\English_US" /v WBDLLPathOverride /t REG_SZ /d "C:\Users\root\evil.dll"