IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Network Logon Provider Registry Modificationedit
Identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in clear text during user logon.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Persistence
- Credential Access
Version: 3 (version history)
Added (Elastic Stack release): 7.13.0
Last modified (Elastic Stack release): 8.2.0
Rule authors: Elastic
Rule license: Elastic License v2
Potential false positivesedit
Authorized third party network logon providers.
Rule queryedit
registry where registry.data.strings != null and registry.path : "HKL M\\SYSTEM\\*ControlSet*\\Services\\*\\NetworkProvider\\ProviderPath" and /* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */ not ( user.id : "S-1-5-18" and registry.data.strings in ("%SystemRoot%\\System32\\ntlanman.dll", "%SystemRoot%\\System32\\drprov.dll", "%SystemRoot%\\System32\\davclnt.dll") )
Threat mappingedit
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
-
Technique:
- Name: Modify Authentication Process
- ID: T1556
- Reference URL: https://attack.mitre.org/techniques/T1556/
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Create or Modify System Process
- ID: T1543
- Reference URL: https://attack.mitre.org/techniques/T1543/
Rule version historyedit
- Version 3 (8.2.0 release)
-
- Formatting only
- Version 2 (8.1.0 release)
-
- Formatting only