Techniques
Sample rules
Network Logon Provider Registry Modification
- source: elastic
- technicques:
- T1543
- T1556
Description
Identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in clear text during user logon.
Detection logic
registry where host.os.type == "windows" and event.type == "change" and
registry.data.strings : "?*" and registry.value : "ProviderPath" and
registry.path : (
"HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\NetworkProvider\\ProviderPath",
"\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\*\\NetworkProvider\\ProviderPath"
) and
/* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */
not (
user.id : "S-1-5-18" and
registry.data.strings : (
"%SystemRoot%\\System32\\ntlanman.dll",
"%SystemRoot%\\System32\\drprov.dll",
"%SystemRoot%\\System32\\davclnt.dll",
"%SystemRoot%\\System32\\vmhgfs.dll",
"?:\\Program Files (x86)\\Citrix\\ICA Client\\x64\\pnsson.dll",
"?:\\Program Files\\Dell\\SARemediation\\agent\\DellMgmtNP.dll",
"?:\\Program Files (x86)\\CheckPoint\\Endpoint Connect\\\\epcgina.dll"
)
)