Potential Credential Dumping Attempt Using New NetworkProvider - REG

 1title: Potential Credential Dumping Attempt Using New NetworkProvider - REG
 2id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701
 3related:
 4    - id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77
 5      type: similar
 6status: test
 7description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
 8references:
 9    - https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade
10    - https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2022-08-23
13modified: 2023-08-17
14tags:
15    - attack.credential-access
16    - attack.t1003
17logsource:
18    category: registry_set
19    product: windows
20detection:
21    selection:
22        TargetObject|contains|all:
23            - '\System\CurrentControlSet\Services\'
24            - '\NetworkProvider'
25    filter:
26        TargetObject|contains:
27            - '\System\CurrentControlSet\Services\WebClient\NetworkProvider'
28            - '\System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider'
29            - '\System\CurrentControlSet\Services\RDPNP\NetworkProvider'
30            # - '\System\CurrentControlSet\Services\P9NP\NetworkProvider' # Related to WSL remove the comment if you use WSL in your ENV
31    filter_valid_procs:
32        Image: C:\Windows\System32\poqexec.exe
33    condition: selection and not 1 of filter*
34falsepositives:
35    - Other legitimate network providers used and not filtred in this rule
36level: medium