NPPSPY

NPPSPY is an implementation of a theoretical mechanism first presented in 2004 for capturing credentials submitted to a Windows system via a rogue Network Provider API item. NPPSPY captures credentials following submission and writes them to a file on the victim system for follow-on exfiltration.[1][2]

ID: S1131
Type: TOOL
Platforms: Windows
Contributors: Dray Agha, @Purp1eW0lf, Huntress Labs
Version: 1.0
Created: 17 May 2024
Last Modified: 28 October 2024

Techniques Used

Domain ID Name Use
Enterprise T1557 Adversary-in-the-Middle

NPPSPY opens a new network listener for the mpnotify.exe process that is typically contacted by the Winlogon process in Windows. A new, alternative RPC channel is set up with a malicious DLL recording plaintext credentials entered into Winlogon, effectively intercepting and redirecting the logon information.[1]

Enterprise T1119 Automated Collection

NPPSPY collection is automatically recorded to a specified file on the victim machine.[1]

Enterprise T1005 Data from Local System

NPPSPY records data entered from the local system logon at Winlogon to capture credentials in cleartext.[1]

Enterprise T1656 Impersonation

NPPSPY creates a network listener using the misspelled label logincontroll recorded to the Registry key HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order.[1]

Enterprise T1056 Input Capture

NPPSPY captures user input into the Winlogon process by redirecting RPC traffic from legitimate listening DLLs within the operating system to a newly registered malicious item that allows for recording logon information in cleartext.[1]

Enterprise T1112 Modify Registry

NPPSPY modifies the Registry to record the malicious listener for output from the Winlogon process.[1]

Enterprise T1552 Unsecured Credentials

NPPSPY captures credentials by recording them through an alternative network listener registered to the mpnotify.exe process, allowing for cleartext recording of logon information.[1]

References