T1556.008 Network Provider DLL Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let NetworkProviderRegistry = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any (
    @"Control\NetworkProvider",
    @"CurrentControlSet\Control\NetworkProvider",
    @"Services\NetworkProvider"
  )
| where RegistryValueName in~ ("Order", "Name", "ProviderPath") or RegistryKey has "NetworkProvider"
| project Timestamp, DeviceName, AccountName, ActionType, RegistryKey,
          RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine;
let NewServiceDLL = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has @"CurrentControlSet\Services"
| where RegistryValueName in~ ("ProviderPath", "NetworkProvider")
| project Timestamp, DeviceName, AccountName, ActionType, RegistryKey,
          RegistryValueName, RegistryValueData, InitiatingProcessFileName;
let NewDLLInSystem32 = DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath =~ @"C:\Windows\System32"
| where FileName endswith ".dll"
| where InitiatingProcessFileName !in~ (
    "msiexec.exe", "wusa.exe", "TrustedInstaller.exe", "svchost.exe", "poqexec.exe"
  )
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName,
          InitiatingProcessCommandLine, SHA256;
union NetworkProviderRegistry, NewServiceDLL, NewDLLInSystem32
| sort by Timestamp desc

critical severity high confidence

Data Sources

Windows Registry: Registry Key Modification File: File Creation Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceRegistryEvents DeviceFileEvents

False Positives

Legitimate third-party network providers installed by enterprise software (e.g., Novell Client, VPN software, enterprise SSO solutions)
Windows updates or service packs that modify NetworkProvider registry keys
Corporate VPN clients or remote desktop software registering custom network providers
Enterprise authentication middleware products that integrate with Windows logon via the Network Provider API

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
  (EventCode=12 OR EventCode=13 OR EventCode=14)
  TargetObject="*\\Control\\NetworkProvider*"
| eval ChangeType=case(EventCode=12, "Created", EventCode=13, "Set", EventCode=14, "Deleted", 1==1, "Unknown")
| table _time, host, ChangeType, TargetObject, Details, Image, User
| sort - _time
| append
  [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=13
   TargetObject="*\\Services\\*\\NetworkProvider*"
  | table _time, host, TargetObject, Details, Image, User]
| sort - _time

critical severity high confidence

Data Sources

Windows Registry: Registry Key Modification Sysmon Event ID 12 Sysmon Event ID 13 Sysmon Event ID 14

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

VPN client installation registering a new network provider (common for Cisco AnyConnect, GlobalProtect, FortiClient)
Novell or NetWare client remnants in enterprise environments
Windows Defender Credential Guard or similar security products modifying provider order
Legacy software installers that add custom network providers for file share authentication

Elastic Security (EQL)

eql

any where
  (
    event.category == "registry" and
    event.type in ("creation", "change") and
    (
      registry.key : ("*\\Control\\NetworkProvider*", "*\\CurrentControlSet\\Control\\NetworkProvider*") or
      (
        registry.key : "*\\Services\\*" and
        registry.value : ("ProviderPath", "NetworkProvider")
      )
    )
  ) or
  (
    event.category == "file" and
    event.type == "creation" and
    file.path : "C:\\Windows\\System32\\*.dll" and
    not process.name : (
      "msiexec.exe", "wusa.exe", "TrustedInstaller.exe",
      "svchost.exe", "poqexec.exe", "setup.exe"
    )
  )

high severity high confidence

Data Sources

Elastic Endpoint Security (registry events via Sysmon or Elastic Agent) Windows File Integrity Monitoring via Elastic Agent Sysmon Event IDs 11 (FileCreate), 12/13/14 (Registry)

Required Tables

logs-endpoint.events.registry-* logs-endpoint.events.file-* logs-windows.sysmon_operational-*

False Positives

Legitimate VPN clients (Cisco AnyConnect, Palo Alto GlobalProtect, Pulse Secure) that register their own network provider DLLs during installation or update cycles — these will modify NetworkProvider\Order and write a DLL to System32
Windows servicing operations (Windows Update, DISM, component-based servicing) that adjust NetworkProvider ordering as part of cumulative updates or feature upgrades
Enterprise endpoint security products, backup agents, or credential management tools (e.g., CyberArk, BeyondTrust) that install credential interception components as part of their privileged access management functionality

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  hostname AS Host,
  username AS User,
  QIDNAME(qid) AS EventName,
  "TargetObject" AS RegistryTarget,
  "Details" AS RegistryValueData,
  "Image" AS InitiatingProcess,
  "CommandLine" AS ProcessCommandLine,
  CASE
    WHEN eventid = 12 THEN 'Registry Key Created'
    WHEN eventid = 13 THEN 'Registry Value Set'
    WHEN eventid = 14 THEN 'Registry Key/Value Deleted'
    WHEN eventid = 11 THEN 'DLL Written to System32'
    ELSE 'Unknown'
  END AS ChangeType
FROM events
WHERE logsourcetypeid = 396
  AND (
    (
      eventid IN (12, 13, 14)
      AND (
        LOWER("TargetObject") LIKE LOWER('%\Control\NetworkProvider%')
        OR LOWER("TargetObject") LIKE LOWER('%\CurrentControlSet\Control\NetworkProvider%')
        OR (
          LOWER("TargetObject") LIKE LOWER('%\Services\%')
          AND LOWER("TargetObject") LIKE LOWER('%NetworkProvider%')
        )
      )
    )
    OR
    (
      eventid = 11
      AND LOWER("TargetFilename") LIKE LOWER('%\Windows\System32\%.dll')
      AND LOWER("Image") NOT LIKE '%\msiexec.exe'
      AND LOWER("Image") NOT LIKE '%\wusa.exe'
      AND LOWER("Image") NOT LIKE '%\trustedinstaller.exe'
      AND LOWER("Image") NOT LIKE '%\svchost.exe'
      AND LOWER("Image") NOT LIKE '%\poqexec.exe'
    )
  )
ORDER BY devicetime DESC
LAST 24 HOURS

high severity high confidence

Data Sources

Sysmon for Windows (QRadar logsourcetypeid 396) Microsoft Windows Security Event Log (logsourcetypeid 12) Windows System Event Log (logsourcetypeid 13)

Required Tables

events

False Positives

VPN software installation or update processes writing their network provider DLLs to System32 and registering them under HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order — common with Cisco AnyConnect, Juniper, and Fortinet clients
Group Policy processing (gpsvc via svchost.exe) updating NetworkProvider registry ordering as part of domain policy application, particularly after GPO changes affecting network authentication
Custom in-house enterprise software that wraps msiexec or uses its own installer binary to deploy components including credential interception modules — the msiexec exclusion will not cover wrapper processes

Sumo Logic CSE

sql

(_sourceCategory=*windows*sysmon* OR _sourceCategory=*sysmon*)
| where EventCode in ("12", "13", "14", "11")
| where
  (
    EventCode in ("12", "13", "14")
    and (
      TargetObject matches "*\\Control\\NetworkProvider*"
      or TargetObject matches "*\\CurrentControlSet\\Control\\NetworkProvider*"
      or (TargetObject matches "*\\Services\\*" and TargetObject matches "*NetworkProvider*")
    )
  )
  or
  (
    EventCode = "11"
    and TargetFilename matches "*\\Windows\\System32\\*.dll"
    and !(Image matches "*\\msiexec.exe")
    and !(Image matches "*\\wusa.exe")
    and !(Image matches "*\\TrustedInstaller.exe")
    and !(Image matches "*\\svchost.exe")
    and !(Image matches "*\\poqexec.exe")
  )
| eval EventType = if(EventCode="11", "DLL Written to System32",
    if(EventCode="12", "Registry Key Created",
      if(EventCode="13", "Registry Value Set",
        if(EventCode="14", "Registry Object Deleted", "Unknown"))))
| eval ArtifactPath = if(EventCode="11", TargetFilename, TargetObject)
| eval AlertSeverity = if(EventCode in ("12","13") and ArtifactPath matches "*ProviderPath*", "CRITICAL",
    if(EventCode in ("12","13") and ArtifactPath matches "*Order*", "HIGH", "MEDIUM"))
| table _time, Computer, User, EventType, AlertSeverity, ArtifactPath, Details, Image
| sort - _time

high severity high confidence

Data Sources

Sysmon for Windows via Sumo Logic Installed Collector Windows Event Log Collector (Security, System) Sumo Logic Cloud SIEM normalized Windows events

Required Tables

_sourceCategory=*windows*sysmon*

False Positives

Enterprise VPN clients (Cisco AnyConnect, Palo Alto GlobalProtect, Pulse Secure) that register their network credential provider DLL under NetworkProvider\Order and write associated DLLs to System32 during installation
Microsoft Windows Update and cumulative patches modifying NetworkProvider order registry keys as part of authentication subsystem updates — particularly prevalent after major Windows feature updates
Legitimate credential management or privileged access management (PAM) solutions such as CyberArk, BeyondTrust, or Thycotic that install credential interception hooks as network providers to enable session recording or credential vaulting

Google Chronicle / SecOps

yaral

rule T1556_008_NetworkProviderDLL {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects malicious network provider DLL registration (T1556.008): monitors registry modifications to HKLM\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider and Services\\*\\NetworkProvider keys, and unexpected DLL creation in System32 by non-trusted processes. Credential-harvesting DLLs registered as network providers receive cleartext passwords via NPLogonNotify() on every logon."
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1556.008"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1556/008/"
    created = "2026-04-13"

  events:
    (
      (
        $e.metadata.event_type = "REGISTRY_MODIFICATION" or
        $e.metadata.event_type = "REGISTRY_CREATION"
      ) and
      (
        re.regex($e.target.registry.registry_key, `(?i).*\\Control\\NetworkProvider.*`) or
        re.regex($e.target.registry.registry_key, `(?i).*\\CurrentControlSet\\Control\\NetworkProvider.*`) or
        (
          re.regex($e.target.registry.registry_key, `(?i).*\\Services\\[^\\]+\\NetworkProvider`) and
          re.regex($e.target.registry.registry_value_name, `(?i)^(ProviderPath|Name)$`)
        )
      )
    ) or
    (
      $e.metadata.event_type = "FILE_CREATION" and
      re.regex($e.target.file.full_path, `(?i)^C:\\Windows\\System32\\[^\\]+\.dll$`) and
      not re.regex($e.principal.process.file.full_path, `(?i)(msiexec|wusa|trustedinstaller|svchost|poqexec)\.exe$`)
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM — REGISTRY_MODIFICATION events Google Chronicle UDM — FILE_CREATION events Windows endpoint telemetry (Sysmon, Microsoft Defender for Endpoint, CrowdStrike) forwarded to Chronicle via ingestion feeds

Required Tables

UDM events (metadata.event_type: REGISTRY_MODIFICATION, REGISTRY_CREATION, FILE_CREATION)

False Positives

Legitimate network authentication middleware such as Cisco AnyConnect, GlobalProtect, or third-party RADIUS clients that install as Windows network providers — these trigger both the registry and file creation signals during installation
Windows domain join operations and Active Directory authentication component updates that register or reorder network provider entries under Control\NetworkProvider\Order
Security products implementing credential inspection capabilities (e.g., CyberArk Endpoint Privilege Manager, Delinea) that function as registered network providers to intercept and vault credentials

CrowdStrike LogScale (CQL)

cql

// T1556.008 — Network Provider DLL: registry registration and DLL staging
// Branch 1: NetworkProvider registry key creation or value modification
#event_simpleName = /RegKeyCreate|RegKeyValueUpdate|RegGenericValueUpdate|AsepValueUpdate/
| TargetObjectName = /(?i)(\\Control\\NetworkProvider|\\CurrentControlSet\\Control\\NetworkProvider|\\Services\\[^\\]+\\NetworkProvider)/
| eval DetectionBranch = "Registry: NetworkProvider Key Modified"
| select([timestamp, ComputerName, UserName, DetectionBranch, TargetObjectName, TargetObjectValueData, ImageFileName, CommandLine, ContextProcessId])

union

// Branch 2: Unexpected DLL written to System32
#event_simpleName = NewExecutableWritten
| TargetFileName = /(?i)^C:\\Windows\\System32\\[^\\]+\.dll$/
| ImageFileName != /(?i)(\\msiexec\.exe|\\wusa\.exe|\\TrustedInstaller\.exe|\\svchost\.exe|\\poqexec\.exe)$/
| eval DetectionBranch = "File: Unexpected DLL Written to System32"
| select([timestamp, ComputerName, UserName, DetectionBranch, TargetFileName, ImageFileName, CommandLine, TargetProcessId])

| sort(field=timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR — Registry telemetry (RegKeyCreate, RegKeyValueUpdate, AsepValueUpdate) CrowdStrike Falcon EDR — File telemetry (NewExecutableWritten) CrowdStrike Falcon Data Replicator (FDR) event stream

Required Tables

#event_simpleName=RegKeyCreate #event_simpleName=RegKeyValueUpdate #event_simpleName=RegGenericValueUpdate #event_simpleName=AsepValueUpdate #event_simpleName=NewExecutableWritten

False Positives

VPN software installations and updates — Cisco AnyConnect, Palo Alto GlobalProtect, and Fortinet FortiClient all register as Windows network providers and write DLLs to System32, generating both registry and file events on install and upgrade
Software deployment via SCCM, Intune, or Ansible that packages software containing network provider components — the wrapping deployment agent (not msiexec) will appear as the initiating process and bypass the installer exclusion list
Windows OS in-place upgrades and servicing operations executed by setup.exe or Windows Update Agent components that rewrite and reregister network subsystem DLLs as part of authentication framework updates

Network Provider DLL

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections