T1556.008 IBM QRadar · QRadar

Detect Network Provider DLL in IBM QRadar

Adversaries may register malicious network provider DLLs to capture cleartext user credentials. Windows Winlogon sends credentials to mpnotify.exe during logon, which shares plaintext credentials with all registered credential managers via NPLogonNotify(). A malicious DLL registered as a network provider via HKLM\SYSTEM\CurrentControlSet\Services\<name>\NetworkProvider and HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order receives cleartext passwords every login. NPPSpy by Grzegorz Tworek is a PoC implementation. Attackers target servers and DCs with high logon frequency.

MITRE ATT&CK

Tactic
Credential Access Defense Evasion Persistence
Technique
T1556 Modify Authentication Process
Sub-technique
T1556.008 Network Provider DLL
Canonical reference
https://attack.mitre.org/techniques/T1556/008/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  hostname AS Host,
  username AS User,
  QIDNAME(qid) AS EventName,
  "TargetObject" AS RegistryTarget,
  "Details" AS RegistryValueData,
  "Image" AS InitiatingProcess,
  "CommandLine" AS ProcessCommandLine,
  CASE
    WHEN eventid = 12 THEN 'Registry Key Created'
    WHEN eventid = 13 THEN 'Registry Value Set'
    WHEN eventid = 14 THEN 'Registry Key/Value Deleted'
    WHEN eventid = 11 THEN 'DLL Written to System32'
    ELSE 'Unknown'
  END AS ChangeType
FROM events
WHERE logsourcetypeid = 396
  AND (
    (
      eventid IN (12, 13, 14)
      AND (
        LOWER("TargetObject") LIKE LOWER('%\Control\NetworkProvider%')
        OR LOWER("TargetObject") LIKE LOWER('%\CurrentControlSet\Control\NetworkProvider%')
        OR (
          LOWER("TargetObject") LIKE LOWER('%\Services\%')
          AND LOWER("TargetObject") LIKE LOWER('%NetworkProvider%')
        )
      )
    )
    OR
    (
      eventid = 11
      AND LOWER("TargetFilename") LIKE LOWER('%\Windows\System32\%.dll')
      AND LOWER("Image") NOT LIKE '%\msiexec.exe'
      AND LOWER("Image") NOT LIKE '%\wusa.exe'
      AND LOWER("Image") NOT LIKE '%\trustedinstaller.exe'
      AND LOWER("Image") NOT LIKE '%\svchost.exe'
      AND LOWER("Image") NOT LIKE '%\poqexec.exe'
    )
  )
ORDER BY devicetime DESC
LAST 24 HOURS
high severity high confidence

QRadar AQL detection for T1556.008 Network Provider DLL. Targets Sysmon events (logsourcetypeid 396) for two indicators: registry create/set/delete events (IDs 12/13/14) against NetworkProvider control and service keys — the registration path for credential-harvesting DLLs — and Sysmon file creation events (ID 11) for DLLs dropped into System32 by non-trusted installer processes. The LOWER() comparisons ensure case-insensitive matching consistent with Windows registry behavior.

Data Sources

Sysmon for Windows (QRadar logsourcetypeid 396)Microsoft Windows Security Event Log (logsourcetypeid 12)Windows System Event Log (logsourcetypeid 13)

Required Tables

events

False Positives & Tuning

  • VPN software installation or update processes writing their network provider DLLs to System32 and registering them under HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order — common with Cisco AnyConnect, Juniper, and Fortinet clients
  • Group Policy processing (gpsvc via svchost.exe) updating NetworkProvider registry ordering as part of domain policy application, particularly after GPO changes affecting network authentication
  • Custom in-house enterprise software that wraps msiexec or uses its own installer binary to deploy components including credential interception modules — the msiexec exclusion will not cover wrapper processes
Download portable Sigma rule (.yml)

Other platforms for T1556.008

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enumerate Current Network Providers

    Expected signal: Sysmon Event ID 12 (Registry Key Opened) for the NetworkProvider\Order key. Security Event ID 4656/4663 if registry auditing is enabled on the key. Process creation event for reg.exe.

  2. Test 2Register a Test Network Provider (Non-Functional)

    Expected signal: Sysmon Event ID 13 (Registry Value Set) for HKLM\SYSTEM\CurrentControlSet\Services\AtomicTestNPP\NetworkProvider\ProviderPath. Security Event ID 4657 if registry auditing is enabled. Process creation for reg.exe.

  3. Test 3Add Provider to NetworkProvider Order (Persistence Step)

    Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject=HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\ProviderOrder, Details showing updated order including 'AtomicTestNPP'. Security Event ID 4657 for registry modification.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1556.008 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1556Modify Authentication Process

Related Sub-techniques

T1556.001Domain Controller AuthenticationT1556.002Password Filter DLLT1556.003Pluggable Authentication ModulesT1556.004Network Device AuthenticationT1556.005Reversible EncryptionT1556.006Multi-Factor AuthenticationT1556.007Hybrid IdentityT1556.009Conditional Access Policies

Related Techniques

T1556Modify Authentication ProcessT1556.002Password Filter DLLT1547.005Security Support ProviderT1003.001LSASS MemoryT1574.001DLLT1078Valid Accounts

Same Tactic: Credential Access

Popular Detections