IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Network Logon Provider Registry Modification
editNetwork Logon Provider Registry Modification
editAdversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in clear text during user logon.
Rule type: eql
Rule indices:
- auditbeat-*
- logs-endpoint.events.*
- logs-windows.*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Persistence
- Credential Access
Version: 1
Added (Elastic Stack release): 7.13.0
Rule authors: Elastic
Rule license: Elastic License v2
Potential false positives
editAuthorized third party network logon providers.
Rule query
editregistry where registry.data.strings != null and registry.path : "HKL M\\SYSTEM\\*ControlSet*\\Services\\*\\NetworkProvider\\ProviderPath" and /* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */ not ( user.id : "S-1-5-18" and registry.data.strings in ("%SystemRoot%\\System32\\ntlanman.dll", "%SystemRoot%\\System32\\drprov.dll", "%SystemRoot%\\System32\\davclnt.dll") )
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
-
Technique:
- Name: Modify Authentication Process
- ID: T1556
- Reference URL: https://attack.mitre.org/techniques/T1556/
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Create or Modify System Process
- ID: T1543
- Reference URL: https://attack.mitre.org/techniques/T1543/