Potential Credential Dumping Attempt Using New NetworkProvider - CLI

calendar Dec 1, 2023 · attack.credential_access attack.t1003  ·
Share on: linkedin copy

Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it

Sigma rule (View on GitHub)

 1title: Potential Credential Dumping Attempt Using New NetworkProvider - CLI
 2id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77
 3related:
 4    - id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701
 5      type: similar
 6status: test
 7description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
 8references:
 9    - https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade
10    - https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2022/08/23
13modified: 2023/02/02
14tags:
15    - attack.credential_access
16    - attack.t1003
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection:
22        CommandLine|contains|all:
23            - '\System\CurrentControlSet\Services\'
24            - '\NetworkProvider'
25    # filter:
26    #     CommandLine|contains:
27    #         - '\System\CurrentControlSet\Services\WebClient\NetworkProvider'
28    #         - '\System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider'
29    #         - '\System\CurrentControlSet\Services\RDPNP\NetworkProvider'
30    #         - '\System\CurrentControlSet\Services\P9NP\NetworkProvider' # Related to WSL remove the comment if you use WSL in your ENV
31    condition: selection
32falsepositives:
33    - Other legitimate network providers used and not filtred in this rule
34level: high

References

Related rules

to-top