Detects registration of new or modified network provider DLLs via registry changes, anomalous file creation of DLLs in system directories, and suspicious process activity (mpnotify.exe interacting with non-standard DLLs). Multi-event correlation ties registry modification events to subsequent DLL loads during user logon activity.
| Data Component | Name | Channel |
|---|---|---|
| Windows Registry Key Modification (DC0063) | WinEventLog:Security | EventCode=4657 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Field | Description |
|---|---|
| MonitoredRegistryKeys | Specific registry keys to monitor for DLL registration (e.g., NetworkProvider Order). |
| SuspiciousDLLPaths | Directories or file name patterns outside of normal system DLL locations. |
| TimeWindow | Window correlating registry modification, DLL creation, and subsequent logon activity. |