Esc
Network Provider DLL - T1556.008
(ATT&CK® Technique)
Definition
Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process. Network provider DLLs allow Windows to interface with specific network protocols and can also support add-on credential management functions. During the logon process, Winlogon (the interactive logon module) sends credentials to the local mpnotify.exe process via RPC. The mpnotify.exe process then shares the credentials in cleartext with registered credential managers when notifying that a logon event is happening.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1556008["Network Provider DLL"] --> |modifies| AuthenticationService["Authentication Service"]; class T1556008 OffensiveTechniqueNode;
class AuthenticationService ArtifactNode; click AuthenticationService href "/dao/artifact/d3f:AuthenticationService";
click T1556008 href "/offensive-technique/attack/T1556.008/"; click AuthenticationService href "/dao/artifact/d3f:AuthenticationService"; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -->
| analyzes | AuthenticationService["Authentication Service"];
ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -.->
| may-detect | T1556008["Network Provider DLL"] ;
class ProcessSelf-ModificationDetection DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessSelf-ModificationDetection href "/technique/d3f:ProcessSelf-ModificationDetection"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | AuthenticationService["Authentication Service"];
ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
| may-detect | T1556008["Network Provider DLL"] ;
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; ProcessTermination["Process Termination"] -->
| terminates | AuthenticationService["Authentication Service"];
ProcessTermination["Process Termination"] -.->
| may-evict | T1556008["Network Provider DLL"] ;
class ProcessTermination DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessTermination href "/technique/d3f:ProcessTermination"; ProcessSuspension["Process Suspension"] -->
| suspends | AuthenticationService["Authentication Service"];
ProcessSuspension["Process Suspension"] -.->
| may-evict | T1556008["Network Provider DLL"] ;
class ProcessSuspension DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessSuspension href "/technique/d3f:ProcessSuspension"; HostShutdown["Host Shutdown"] -->
| terminates | AuthenticationService["Authentication Service"];
HostShutdown["Host Shutdown"] -.->
| may-evict | T1556008["Network Provider DLL"] ;
class HostShutdown DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click HostShutdown href "/technique/d3f:HostShutdown"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| isolates | AuthenticationService["Authentication Service"];
Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
| may-isolate | T1556008["Network Provider DLL"] ;
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -->
| isolates | AuthenticationService["Authentication Service"];
Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -.->
| may-isolate | T1556008["Network Provider DLL"] ;
class Kernel-basedProcessIsolation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click Kernel-basedProcessIsolation href "/technique/d3f:Kernel-basedProcessIsolation"; Application-basedProcessIsolation["Application-based Process Isolation"] -->
| isolates | AuthenticationService["Authentication Service"];
Application-basedProcessIsolation["Application-based Process Isolation"] -.->
| may-isolate | T1556008["Network Provider DLL"] ;
class Application-basedProcessIsolation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click Application-basedProcessIsolation href "/technique/d3f:Application-basedProcessIsolation"; SystemCallFiltering["System Call Filtering"] -->
| isolates | AuthenticationService["Authentication Service"];
SystemCallFiltering["System Call Filtering"] -.->
| may-isolate | T1556008["Network Provider DLL"] ;
class SystemCallFiltering DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; ProcessLineageAnalysis["Process Lineage Analysis"] -->
| analyzes | AuthenticationService["Authentication Service"];
ProcessLineageAnalysis["Process Lineage Analysis"] -.->
| may-detect | T1556008["Network Provider DLL"] ;
class ProcessLineageAnalysis DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click ProcessLineageAnalysis href "/technique/d3f:ProcessLineageAnalysis"; HostReboot["Host Reboot"] -->
| terminates | AuthenticationService["Authentication Service"];
HostReboot["Host Reboot"] -.->
| may-evict | T1556008["Network Provider DLL"] ;
class HostReboot DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click HostReboot href "/technique/d3f:HostReboot"; WebSessionAccessMediation["Web Session Access Mediation"] -->
| isolates | AuthenticationService["Authentication Service"];
WebSessionAccessMediation["Web Session Access Mediation"] -.->
| may-isolate | T1556008["Network Provider DLL"] ;
class WebSessionAccessMediation DefensiveTechniqueNode;
class AuthenticationService ArtifactNode;
click WebSessionAccessMediation href "/technique/d3f:WebSessionAccessMediation";