Technique on mitre.org

T1556.008: Network Provider DLL

Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process. Network provider DLLs allow Windows to interface with specific network protocols and can also support add-on credential management functions. During the logon process, Winlogon (the interactive logon module) sends credentials to the local mpnotify.exe process via RPC. The mpnotify.exe process then shares the credentials in cleartext with registered credential managers when notifying that a logon event is happening.

Adversaries can configure a malicious network provider DLL to receive credentials from mpnotify.exe. Once installed as a credential manager (via the Registry), a malicious DLL can receive and save credentials each time a user logs onto a Windows workstation or domain via the NPLogonNotify() function.

Adversaries may target planting malicious network provider DLLs on systems known to have increased logon activity and/or administrator logon activity, such as servers and domain controllers.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_persistence: PT-CR-2633: Network_Provider_Modification: A new network provider was created or registered by modifying registry keys. This may indicate an attacker's attempt to gain persistence in the system using a new network provider DLL. mitre_attck_persistence: PT-CR-2623: Suspicious_Network_Provider_DLL_Loaded: The mpnotify.exe process loaded a suspicious DLL. This may indicate an attacker's attempt to gain persistence in the system by creating a new network provider.

Detection

ID	DS0024	Data source and component	Windows Registry: Windows Registry Key Creation	Description	Monitor for the addition of network provider Registry keys (e.g., `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<NetworkProviderName>\NetworkProvider`).

ID	DS0024	Data source and component	Windows Registry: Windows Registry Key Modification	Description	Monitor for changes to Registry entries for network providers (e.g., `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order`) and correlate then investigate the DLL files these values reference.

ID	DS0022	Data source and component	File: File Creation	Description	Monitor for newly created files that may be used to register malicious network provider dynamic link libraries (DLLs).

ID	DS0009	Data source and component	Process: OS API Execution	Description	Monitor for abnormal API calls to `NPLogonNotify()`.

ID	Data source and component	Description
DS0024	Windows Registry: Windows Registry Key Creation	Monitor for the addition of network provider Registry keys (e.g., `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<NetworkProviderName>\NetworkProvider`).
DS0024	Windows Registry: Windows Registry Key Modification	Monitor for changes to Registry entries for network providers (e.g., `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order`) and correlate then investigate the DLL files these values reference.
DS0022	File: File Creation	Monitor for newly created files that may be used to register malicious network provider dynamic link libraries (DLLs).
DS0009	Process: OS API Execution	Monitor for abnormal API calls to `NPLogonNotify()`.

Mitigation

ID	M1024	Name	Restrict Registry Permissions	Description	Restrict Registry permissions to disallow the modification of sensitive Registry keys such as `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order`.

ID	M1047	Name	Audit	Description	Periodically review for new and unknown network provider DLLs within the Registry (`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<NetworkProviderName>\NetworkProvider\ProviderPath`). Ensure only valid network provider DLLs are registered. The name of these can be found in the Registry key at `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order`, and have corresponding service subkey pointing to a DLL at `HKEY_LOCAL_MACHINE\SYSTEM\CurrentC ontrolSet\Services\<NetworkProviderName>\NetworkProvider`.

ID	M1028	Name	Operating System Configuration	Description	Starting in Windows 11 22H2, the `EnableMPRNotifications` policy can be disabled through Group Policy or through a configuration service provider to prevent Winlogon from sending credentials to network providers.

ID	Name	Description
M1024	Restrict Registry Permissions	Restrict Registry permissions to disallow the modification of sensitive Registry keys such as `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order`.
M1047	Audit	Periodically review for new and unknown network provider DLLs within the Registry (`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<NetworkProviderName>\NetworkProvider\ProviderPath`). Ensure only valid network provider DLLs are registered. The name of these can be found in the Registry key at `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order`, and have corresponding service subkey pointing to a DLL at `HKEY_LOCAL_MACHINE\SYSTEM\CurrentC ontrolSet\Services\<NetworkProviderName>\NetworkProvider`.
M1028	Operating System Configuration	Starting in Windows 11 22H2, the `EnableMPRNotifications` policy can be disabled through Group Policy or through a configuration service provider to prevent Winlogon from sending credentials to network providers.