other legitimate network providers used and not filtred in this rule

Techniques

t1003

Sample rules

Potential Credential Dumping Attempt Using New NetworkProvider - CLI

source: sigma
technicques:
- t1003

Description

Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it

Detection logic

condition: selection
selection:
  CommandLine|contains|all:
  - \System\CurrentControlSet\Services\
  - \NetworkProvider

Potential Credential Dumping Attempt Using New NetworkProvider - REG

source: sigma
technicques:
- t1003

Description

Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it

Detection logic

condition: selection and not 1 of filter*
filter:
  TargetObject|contains:
  - \System\CurrentControlSet\Services\WebClient\NetworkProvider
  - \System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider
  - \System\CurrentControlSet\Services\RDPNP\NetworkProvider
filter_valid_procs:
  Image: C:\Windows\System32\poqexec.exe
selection:
  TargetObject|contains|all:
  - \System\CurrentControlSet\Services\
  - \NetworkProvider