DET0580 Detect Network Provider DLL Registration and Credential Capture

Item	Value
ID	DET0580
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1556.008 (Network Provider DLL)

Analytics

Windows

AN1598

Detects registration of new or modified network provider DLLs via registry changes, anomalous file creation of DLLs in system directories, and suspicious process activity (mpnotify.exe interacting with non-standard DLLs). Multi-event correlation ties registry modification events to subsequent DLL loads during user logon activity.

Log Sources

Data Component	Name	Channel
Windows Registry Key Modification (DC0063)	WinEventLog:Security	EventCode=4657
File Creation (DC0039)	WinEventLog:Sysmon	EventCode=11
Process Access (DC0035)	WinEventLog:Sysmon	EventCode=10
Module Load (DC0016)	WinEventLog:Sysmon	EventCode=7

Mutable Elements

Field	Description
MonitoredRegistryKeys	Specific registry keys to monitor for DLL registration (e.g., NetworkProvider Order).
SuspiciousDLLPaths	Directories or file name patterns outside of normal system DLL locations.
TimeWindow	Window correlating registry modification, DLL creation, and subsequent logon activity.