T1556.008 Network Provider DLL Mappings

Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process. Network provider DLLs allow Windows to interface with specific network protocols and can also support add-on credential management functions.(Citation: Network Provider API) During the logon process, Winlogon (the interactive logon module) sends credentials to the local mpnotify.exe process via RPC. The mpnotify.exe process then shares the credentials in cleartext with registered credential managers when notifying that a logon event is happening.(Citation: NPPSPY - Huntress)(Citation: NPPSPY Video)(Citation: NPLogonNotify)

Adversaries can configure a malicious network provider DLL to receive credentials from mpnotify.exe.(Citation: NPPSPY) Once installed as a credential manager (via the Registry), a malicious DLL can receive and save credentials each time a user logs onto a Windows workstation or domain via the NPLogonNotify() function.(Citation: NPLogonNotify)

Adversaries may target planting malicious network provider DLLs on systems known to have increased logon activity and/or administrator logon activity, such as servers and domain controllers.(Citation: NPPSPY - Huntress)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
SI-07 Software, Firmware, and Information Integrity Protects T1556.008 Network Provider DLL
CM-03 Configuration Change Control Protects T1556.008 Network Provider DLL
CM-07 Least Functionality Protects T1556.008 Network Provider DLL
CM-06 Configuration Settings Protects T1556.008 Network Provider DLL
CM-05 Access Restrictions for Change Protects T1556.008 Network Provider DLL
AC-06 Least Privilege Protects T1556.008 Network Provider DLL
CM-02 Baseline Configuration Protects T1556.008 Network Provider DLL
SI-04 System Monitoring Protects T1556.008 Network Provider DLL
AC-03 Access Enforcement Protects T1556.008 Network Provider DLL