# Natural Language 6 DLLs Persistence

## Theory

The **Natural Language Development Platform 6 (NaturalLanguage6.dll) Persistence** technique leverages registry keys associated with the **Natural Language Development Platform 6 library** to achieve code execution by loading a malicious DLL.

By modifying the registry values **`StemmerDLLPathOverride`** or **`WBDLLPathOverride`** under the relevant keys, an attacker can specify the path to a custom DLL. When **`SearchIndexer.exe`**, a built-in Windows service responsible for indexing files, initializes, it calls **`LoadLibrary`** to load the DLL specified in these registry values.

#### **Trigger Condition:**

This persistence mechanism is triggered whenever **`SearchIndexer.exe`** starts or restarts, which typically occurs:

* At system startup
* When the Windows Search service (`WSearch`) is restarted
* Periodically, depending on system activity and indexing behavior

Since **`SearchIndexer.exe`** runs with SYSTEM privileges, this technique can provide high-privileged code execution, making it a stealthy and effective persistence method.

## Practice

{% tabs %}
{% tab title="Natural Language 6 DLLs" %}
You can force SearchIndexer.exe to load some DLLs specified in this registry:

* `HKLM\System\CurrentControlSet\Control\ContentIndex\Language\<some language>\StemmerDLLPathOverride`
* `HKLM\System\CurrentControlSet\Control\ContentIndex\Language\<some language>\WBDLLPathOverride`

```powershell
# StemmerDLLPathOverride
reg add "HKLM\System\CurrentControlSet\Control\ContentIndex\Language\English_US" /v StemmerDLLPathOverride /t REG_SZ /d "C:\Users\root\evil.dll"

# WBDLLPathOverride
reg add "HKLM\System\CurrentControlSet\Control\ContentIndex\Language\English_US" /v WBDLLPathOverride /t REG_SZ /d "C:\Users\root\evil.dll"
```

{% endtab %}
{% endtabs %}

## Resources

{% embed url="<https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/>" %}

{% embed url="<https://persistence-info.github.io/Data/naturallanguage6.html>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://red.infiltr8.io/redteam/persistence/windows/natural-language-6-dlls.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.