Sigma rules for NPPSPY
3 rules · scoped to tool · back to NPPSPY
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: HackTool - NPPSpy Hacktool Usage
id: cad1fe90-2406-44dc-bd03-59d0b58fe722
status: test
description: Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy
- https://twitter.com/0gtweet/status/1465282548494487554
author: Florian Roth (Nextron Systems)
date: 2021-11-29
modified: 2024-06-27
tags:
- attack.credential-access
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- '\NPPSpy.txt'
- '\NPPSpy.dll'
condition: selection
falsepositives:
- Unknown
level: high
title: Potential Credential Dumping Attempt Using New NetworkProvider - CLI
id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77
related:
- id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701
type: similar
status: test
description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
references:
- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade
- https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-23
modified: 2023-02-02
tags:
- attack.credential-access
- attack.t1003
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '\System\CurrentControlSet\Services\'
- '\NetworkProvider'
# filter:
# CommandLine|contains:
# - '\System\CurrentControlSet\Services\WebClient\NetworkProvider'
# - '\System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider'
# - '\System\CurrentControlSet\Services\RDPNP\NetworkProvider'
# - '\System\CurrentControlSet\Services\P9NP\NetworkProvider' # Related to WSL remove the comment if you use WSL in your ENV
condition: selection
falsepositives:
- Other legitimate network providers used and not filtred in this rule
level: high
title: Potential Credential Dumping Attempt Using New NetworkProvider - REG
id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701
related:
- id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77
type: similar
status: test
description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
references:
- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade
- https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-23
modified: 2023-08-17
tags:
- attack.credential-access
- attack.t1003
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains|all:
- '\System\CurrentControlSet\Services\'
- '\NetworkProvider'
filter:
TargetObject|contains:
- '\System\CurrentControlSet\Services\WebClient\NetworkProvider'
- '\System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider'
- '\System\CurrentControlSet\Services\RDPNP\NetworkProvider'
# - '\System\CurrentControlSet\Services\P9NP\NetworkProvider' # Related to WSL remove the comment if you use WSL in your ENV
filter_valid_procs:
Image: C:\Windows\System32\poqexec.exe
condition: selection and not 1 of filter*
falsepositives:
- Other legitimate network providers used and not filtred in this rule
level: medium