1. Home
  2. ATT&CK Techniques
  3. T1556.008 Network Provider DLL

T1556.008 Network Provider DLL

Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process. Network provider DLLs allow Windows to interface with specific network protocols and can also support add-on credential management functions.(Citation: Network Provider API) During the logon process, Winlogon (the interactive logon module) sends credentials to the local mpnotify.exe process via RPC. The mpnotify.exe process then shares the credentials in cleartext with registered credential managers when notifying that a logon event is happening.(Citation: NPPSPY - Huntress)(Citation: NPPSPY Video)(Citation: NPLogonNotify)

Adversaries can configure a malicious network provider DLL to receive credentials from mpnotify.exe.(Citation: NPPSPY) Once installed as a credential manager (via the Registry), a malicious DLL can receive and save credentials each time a user logs onto a Windows workstation or domain via the NPLogonNotify() function.(Citation: NPLogonNotify)

Adversaries may target planting malicious network provider DLLs on systems known to have increased logon activity and/or administrator logon activity, such as servers and domain controllers.(Citation: NPPSPY - Huntress)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.PS-01.01 Configuration baselines Mitigates T1556.008 Network Provider DLL
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
    PR.PS-01.02 Least functionality Mitigates T1556.008 Network Provider DLL
    Comments
    This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
    References
      PR.PS-01.03 Configuration deviation Mitigates T1556.008 Network Provider DLL
      Comments
      This diagnostic statement provides protection from Modify Authentication Process: Network Provider DLL through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System (including only allowing valid DLLs, secure policies) and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
      References

        NIST 800-53 Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        CM-06 Configuration Settings mitigates T1556.008 Network Provider DLL
        CM-05 Access Restrictions for Change mitigates T1556.008 Network Provider DLL
        SI-07 Software, Firmware, and Information Integrity mitigates T1556.008 Network Provider DLL
        CM-02 Baseline Configuration mitigates T1556.008 Network Provider DLL
        CM-07 Least Functionality mitigates T1556.008 Network Provider DLL
        SI-04 System Monitoring mitigates T1556.008 Network Provider DLL
        AC-06 Least Privilege mitigates T1556.008 Network Provider DLL
        AC-03 Access Enforcement mitigates T1556.008 Network Provider DLL
        CM-03 Configuration Change Control mitigates T1556.008 Network Provider DLL

        VERIS Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1556.008 Network Provider DLL
        attribute.integrity.variety.Modify privileges Modified privileges or permissions related-to T1556.008 Network Provider DLL

        Azure Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring technique_scores T1556.008 Network Provider DLL
        Comments
        This control can monitor for creation or changes to registry keys associated with network provider DLL such as HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\\NetworkProvider and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order.
        References
        1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview

        GCP Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        advanced_protection_program Advanced Protection Program technique_scores T1556.008 Network Provider DLL
        Comments
        Advanced Protection Program enables the use of a security key for multi-factor authentication. Even in the event of compromised credentials, the lack of a security key would prevent an adversary from accessing the account. This leads to significant protection against the technique.
        References
        1. ['https://landing.google.com/advancedprotection/']