Which SIEM platforms have a T1556.008 detection rule?

df00tech provides T1556.008 (Network Provider DLL) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Network Provider DLL (T1556.008)?

Detecting Network Provider DLL requires the following data sources: Windows Registry: Registry Key Modification, File: File Creation, Process: Process Creation, Microsoft Defender for Endpoint.

What severity and confidence is the T1556.008 detection?

The T1556.008 detection is rated critical severity with high confidence.

What are common false positives for T1556.008?

Common false positives for T1556.008 include: Legitimate third-party network providers installed by enterprise software (e.g., Novell Client, VPN software, enterprise SSO solutions); Windows updates or service packs that modify NetworkProvider registry keys; Corporate VPN clients or remote desktop software registering custom network providers.

T1556.008 Google Chronicle · YARA-L

Detect Network Provider DLL in Google Chronicle

Adversaries may register malicious network provider DLLs to capture cleartext user credentials. Windows Winlogon sends credentials to mpnotify.exe during logon, which shares plaintext credentials with all registered credential managers via NPLogonNotify(). A malicious DLL registered as a network provider via HKLM\SYSTEM\CurrentControlSet\Services\<name>\NetworkProvider and HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order receives cleartext passwords every login. NPPSpy by Grzegorz Tworek is a PoC implementation. Attackers target servers and DCs with high logon frequency.

MITRE ATT&CK

Tactic: Credential Access Defense Evasion Persistence
Technique: T1556 Modify Authentication Process
Sub-technique: T1556.008 Network Provider DLL
Canonical reference: https://attack.mitre.org/techniques/T1556/008/

YARA-L Detection Query

Google Chronicle (YARA-L)

yaral

rule T1556_008_NetworkProviderDLL {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects malicious network provider DLL registration (T1556.008): monitors registry modifications to HKLM\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider and Services\\*\\NetworkProvider keys, and unexpected DLL creation in System32 by non-trusted processes. Credential-harvesting DLLs registered as network providers receive cleartext passwords via NPLogonNotify() on every logon."
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1556.008"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1556/008/"
    created = "2026-04-13"

  events:
    (
      (
        $e.metadata.event_type = "REGISTRY_MODIFICATION" or
        $e.metadata.event_type = "REGISTRY_CREATION"
      ) and
      (
        re.regex($e.target.registry.registry_key, `(?i).*\\Control\\NetworkProvider.*`) or
        re.regex($e.target.registry.registry_key, `(?i).*\\CurrentControlSet\\Control\\NetworkProvider.*`) or
        (
          re.regex($e.target.registry.registry_key, `(?i).*\\Services\\[^\\]+\\NetworkProvider`) and
          re.regex($e.target.registry.registry_value_name, `(?i)^(ProviderPath|Name)$`)
        )
      )
    ) or
    (
      $e.metadata.event_type = "FILE_CREATION" and
      re.regex($e.target.file.full_path, `(?i)^C:\\Windows\\System32\\[^\\]+\.dll$`) and
      not re.regex($e.principal.process.file.full_path, `(?i)(msiexec|wusa|trustedinstaller|svchost|poqexec)\.exe$`)
    )

  condition:
    $e
}

high severity high confidence

Chronicle YARA-L 2.0 rule for T1556.008 Network Provider DLL. Uses UDM REGISTRY_MODIFICATION and FILE_CREATION event types to detect the two-stage attack: (1) registration of a malicious DLL as a network provider via HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider or Services\<name>\NetworkProvider registry keys; (2) the preceding DLL staging step where the malicious DLL is dropped into System32 by a non-trusted process. DLLs registered as network providers receive cleartext credentials via NPLogonNotify() from mpnotify.exe at every interactive and network logon.

Data Sources

Google Chronicle UDM — REGISTRY_MODIFICATION eventsGoogle Chronicle UDM — FILE_CREATION eventsWindows endpoint telemetry (Sysmon, Microsoft Defender for Endpoint, CrowdStrike) forwarded to Chronicle via ingestion feeds

Required Tables

UDM events (metadata.event_type: REGISTRY_MODIFICATION, REGISTRY_CREATION, FILE_CREATION)

False Positives & Tuning

Legitimate network authentication middleware such as Cisco AnyConnect, GlobalProtect, or third-party RADIUS clients that install as Windows network providers — these trigger both the registry and file creation signals during installation
Windows domain join operations and Active Directory authentication component updates that register or reorder network provider entries under Control\NetworkProvider\Order
Security products implementing credential inspection capabilities (e.g., CyberArk Endpoint Privilege Manager, Delinea) that function as registered network providers to intercept and vault credentials

Download portable Sigma rule (.yml)

Other platforms for T1556.008

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Enumerate Current Network Providers
Expected signal: Sysmon Event ID 12 (Registry Key Opened) for the NetworkProvider\Order key. Security Event ID 4656/4663 if registry auditing is enabled on the key. Process creation event for reg.exe.
Test 2Register a Test Network Provider (Non-Functional)
Expected signal: Sysmon Event ID 13 (Registry Value Set) for HKLM\SYSTEM\CurrentControlSet\Services\AtomicTestNPP\NetworkProvider\ProviderPath. Security Event ID 4657 if registry auditing is enabled. Process creation for reg.exe.
Test 3Add Provider to NetworkProvider Order (Persistence Step)
Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject=HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\ProviderOrder, Details showing updated order including 'AtomicTestNPP'. Security Event ID 4657 for registry modification.

Last updated: 2026-04-13 Research depth: deep

References (6)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1556.008 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Network Provider DLL in Google Chronicle

MITRE ATT&CK

YARA-L Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1556.008

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Credential Access

Popular Detections

MITRE ATT&CK

YARA-L Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1556.008

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Credential Access

Popular Detections

Get new detections in your inbox