Skip to main content
Purpleshift
RU
  1. Blog/

Malicious Network Provider DLL allows stealing credentials

·2 mins·
Purpleshift
BlueTeam Network Provider DLL

The technique of planting malicious Network Provider DLL (T1556.008) has been used by attackers for many years, but it still hasn’t lost its popularity. Quite recently, in May of this year, the Microsoft Incident Response team published an incident investigation, in which attackers used this technique to steal credentials; the use of legitimate software allowed them to remain unnoticed for a long time.

The essence of the attack:

Network Provider DLL is a dynamic library in Windows that allows the OS to interact with specific network protocols. It implements a set of functions (Network Provider API) that Multiple Provider Router (MPR) uses to communicate with different networks.

Components of this type are automatically loaded when a user logs into the system and participate in network authentication processes, recovery of network resources, and processing of credentials, which makes this mechanism attractive for persistence.

Attackers can register a malicious Network Provider DLL by modifying the registry key:

HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order

The ProviderOrder parameter does not store the path to the DLL and does not contain information about the module, it only represents a list of provider names that Windows should initialize through the MPR mechanism. For example:

ProviderOrder = LanmanWorkstation,RDPNP,webclient,EvilProvider

In this case, Windows will perceive EvilProvider as a new provider and attempt to find its description:

HKLM\SYSTEM\CurrentControlSet\Services\EvilProvider\NetworkProvider

From this directory, the system receives the path to the library through the ProviderPath parameter. For example:

ProviderPath = C:\ProgramData\evilprov.dll

After registration, Windows starts addressing this DLL as a regular provider and automatically loads this library when a user logs in. Windows does not check if it’s a default system provider: the mechanism loads all components listed in ProviderOrder.

How to catch the attack:

Detect changes in ProviderOrder or creation of ProviderPath for any network provider except for the built-in providers (LanmanWorkstation, RDPNP, webclient). Example detection rule:

logsource:
   product: windows
      category: registry_event

detection:
  Selection_order:
    TargetObject|contains:
      - '\Control\NetworkProvider\Order\ProviderOrder'

    selection_provider:
      TargetObject|contains:
         -  '\Services\'
         - '\NetworkProvider'
         - '\ProviderPath'

    filter_main_system:
       Details|contains:
         - 'LanmanWorkstation'
         - 'RDPNP'
         - 'webclient'

condition: (selection_order or selection_provider) and not filter_main_system

Related