IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Network Logon Provider Registry Modification
editNetwork Logon Provider Registry Modification
editIdentifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in clear text during user logon.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
- endgame-*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Tactic: Persistence
- Tactic: Credential Access
- Data Source: Elastic Endgame
- Data Source: Elastic Defend
Version: 106
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editregistry where host.os.type == "windows" and registry.data.strings : "?*" and
registry.path : (
"HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\NetworkProvider\\ProviderPath",
"\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\*\\NetworkProvider\\ProviderPath"
) and
/* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */
not (
user.id : "S-1-5-18" and
registry.data.strings : (
"%SystemRoot%\\System32\\ntlanman.dll",
"%SystemRoot%\\System32\\drprov.dll",
"%SystemRoot%\\System32\\davclnt.dll",
"%SystemRoot%\\System32\\vmhgfs.dll",
"?:\\Program Files (x86)\\Citrix\\ICA Client\\x64\\pnsson.dll",
"?:\\Program Files\\Dell\\SARemediation\\agent\\DellMgmtNP.dll",
"?:\\Program Files (x86)\\CheckPoint\\Endpoint Connect\\\\epcgina.dll"
)
)
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
-
Technique:
- Name: Modify Authentication Process
- ID: T1556
- Reference URL: https://attack.mitre.org/techniques/T1556/
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Create or Modify System Process
- ID: T1543
- Reference URL: https://attack.mitre.org/techniques/T1543/