Network Logon Provider Registry Modification
Identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in clear text during user logon.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/03/18"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/10/23"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon
13provider module for persistence and/or credential access via intercepting the authentication credentials in clear text
14during user logon.
15"""
16false_positives = ["Authorized third party network logon providers."]
17from = "now-9m"
18index = ["logs-endpoint.events.*", "endgame-*"]
19language = "eql"
20license = "Elastic License v2"
21name = "Network Logon Provider Registry Modification"
22references = [
23 "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy",
24 "https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify",
25]
26risk_score = 47
27rule_id = "54c3d186-0461-4dc3-9b33-2dc5c7473936"
28severity = "medium"
29tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
30timestamp_override = "event.ingested"
31type = "eql"
32
33query = '''
34registry where host.os.type == "windows" and registry.data.strings : "?*" and
35 registry.path : (
36 "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\NetworkProvider\\ProviderPath",
37 "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\*\\NetworkProvider\\ProviderPath"
38 ) and
39 /* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */
40 not (
41 user.id : "S-1-5-18" and
42 registry.data.strings : (
43 "%SystemRoot%\\System32\\ntlanman.dll",
44 "%SystemRoot%\\System32\\drprov.dll",
45 "%SystemRoot%\\System32\\davclnt.dll",
46 "%SystemRoot%\\System32\\vmhgfs.dll",
47 "?:\\Program Files (x86)\\Citrix\\ICA Client\\x64\\pnsson.dll",
48 "?:\\Program Files\\Dell\\SARemediation\\agent\\DellMgmtNP.dll",
49 "?:\\Program Files (x86)\\CheckPoint\\Endpoint Connect\\\\epcgina.dll"
50 )
51 )
52'''
53
54
55[[rule.threat]]
56framework = "MITRE ATT&CK"
57[[rule.threat.technique]]
58id = "T1556"
59name = "Modify Authentication Process"
60reference = "https://attack.mitre.org/techniques/T1556/"
61
62
63[rule.threat.tactic]
64id = "TA0006"
65name = "Credential Access"
66reference = "https://attack.mitre.org/tactics/TA0006/"
67[[rule.threat]]
68framework = "MITRE ATT&CK"
69[[rule.threat.technique]]
70id = "T1543"
71name = "Create or Modify System Process"
72reference = "https://attack.mitre.org/techniques/T1543/"
73
74
75[rule.threat.tactic]
76id = "TA0003"
77name = "Persistence"
78reference = "https://attack.mitre.org/tactics/TA0003/"
References
-
-
MPR calls this function to notify the credential manager that a logon event has occurred, allowing the credential manager to return a logon script.
Read More
Related rules
- Adding Hidden File Attribute via Attrib
- Image File Execution Options Injection
- Persistence via PowerShell profile
- Potential Local NTLM Relay via HTTP
- Potential Persistence via Time Provider Modification