title: Network Provider DLL (T1556.008)
id: df00tech-t1556-008
status: experimental
description: "Adversaries may register malicious network provider DLLs to capture cleartext user credentials. Windows Winlogon sends credentials to mpnotify.exe during logon, which shares plaintext credentials with all registered credential managers via NPLogonNotify(). A malicious DLL registered as a network provider via HKLM\\SYSTEM\\CurrentControlSet\\Services\\<name>\\NetworkProvider and HKLM\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order receives cleartext passwords every login. NPPSpy by Grzegorz Tworek is a PoC implementation. Attackers target servers and DCs with high logon frequency."
references:
  - https://attack.mitre.org/techniques/T1556/008/
  - https://df00tech.com/detections/T1556.008
author: df00tech
date: 2026/04/13
tags:
  - attack.t1556.008
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate third-party network providers installed by enterprise software (e.g., Novell Client, VPN software, enterprise SSO solutions)"
  - Windows updates or service packs that modify NetworkProvider registry keys
  - Corporate VPN clients or remote desktop software registering custom network providers
  - Enterprise authentication middleware products that integrate with Windows logon via the Network Provider API
level: critical