NPPSPY is an implementation of a theoretical mechanism first presented in 2004 for capturing credentials submitted to a Windows system via a rogue Network Provider API item. NPPSPY captures credentials following submission and writes them to a file on the victim system for follow-on exfiltration.[1][2]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1557 | Adversary-in-the-Middle |
NPPSPY opens a new network listener for the |
|
Enterprise | T1119 | Automated Collection |
NPPSPY collection is automatically recorded to a specified file on the victim machine.[1] |
|
Enterprise | T1005 | Data from Local System |
NPPSPY records data entered from the local system logon at Winlogon to capture credentials in cleartext.[1] |
|
Enterprise | T1656 | Impersonation |
NPPSPY creates a network listener using the misspelled label |
|
Enterprise | T1056 | Input Capture |
NPPSPY captures user input into the Winlogon process by redirecting RPC traffic from legitimate listening DLLs within the operating system to a newly registered malicious item that allows for recording logon information in cleartext.[1] |
|
Enterprise | T1112 | Modify Registry |
NPPSPY modifies the Registry to record the malicious listener for output from the Winlogon process.[1] |
|
Enterprise | T1552 | Unsecured Credentials |
NPPSPY captures credentials by recording them through an alternative network listener registered to the |