Detect Network Provider DLL in Splunk
Adversaries may register malicious network provider DLLs to capture cleartext user credentials. Windows Winlogon sends credentials to mpnotify.exe during logon, which shares plaintext credentials with all registered credential managers via NPLogonNotify(). A malicious DLL registered as a network provider via HKLM\SYSTEM\CurrentControlSet\Services\<name>\NetworkProvider and HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order receives cleartext passwords every login. NPPSpy by Grzegorz Tworek is a PoC implementation. Attackers target servers and DCs with high logon frequency.
MITRE ATT&CK
- Technique
- T1556 Modify Authentication Process
- Sub-technique
- T1556.008 Network Provider DLL
- Canonical reference
- https://attack.mitre.org/techniques/T1556/008/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
(EventCode=12 OR EventCode=13 OR EventCode=14)
TargetObject="*\\Control\\NetworkProvider*"
| eval ChangeType=case(EventCode=12, "Created", EventCode=13, "Set", EventCode=14, "Deleted", 1==1, "Unknown")
| table _time, host, ChangeType, TargetObject, Details, Image, User
| sort - _time
| append
[search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=13
TargetObject="*\\Services\\*\\NetworkProvider*"
| table _time, host, TargetObject, Details, Image, User]
| sort - _timeDetects network provider DLL registration using Sysmon Event ID 12/13/14 (Registry Create/Set/Delete) for the NetworkProvider registry key path. Any new entry in HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order indicates a new provider is being registered, and changes to service-level NetworkProvider entries indicate the DLL path is being set.
Data Sources
Required Sourcetypes
False Positives & Tuning
- VPN client installation registering a new network provider (common for Cisco AnyConnect, GlobalProtect, FortiClient)
- Novell or NetWare client remnants in enterprise environments
- Windows Defender Credential Guard or similar security products modifying provider order
- Legacy software installers that add custom network providers for file share authentication
Other platforms for T1556.008
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enumerate Current Network Providers
Expected signal: Sysmon Event ID 12 (Registry Key Opened) for the NetworkProvider\Order key. Security Event ID 4656/4663 if registry auditing is enabled on the key. Process creation event for reg.exe.
- Test 2Register a Test Network Provider (Non-Functional)
Expected signal: Sysmon Event ID 13 (Registry Value Set) for HKLM\SYSTEM\CurrentControlSet\Services\AtomicTestNPP\NetworkProvider\ProviderPath. Security Event ID 4657 if registry auditing is enabled. Process creation for reg.exe.
- Test 3Add Provider to NetworkProvider Order (Persistence Step)
Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject=HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\ProviderOrder, Details showing updated order including 'AtomicTestNPP'. Security Event ID 4657 for registry modification.
References (6)
- https://attack.mitre.org/techniques/T1556/008/
- https://www.huntress.com/blog/cleartext-shenanigans-gifting-user-passwords-to-adversaries-with-nppspy
- https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
- https://learn.microsoft.com/en-us/windows/win32/secauthn/network-provider-api
- https://learn.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.008/T1556.008.md
Unlock Pro Content
Get the full detection package for T1556.008 including response playbook, investigation guide, and atomic red team tests.