Skip to content

S1131 NPPSPY

NPPSPY is an implementation of a theoretical mechanism first presented in 2004 for capturing credentials submitted to a Windows system via a rogue Network Provider API item. NPPSPY captures credentials following submission and writes them to a file on the victim system for follow-on exfiltration.12

Item Value
ID S1131
Associated Names
Type TOOL
Version 1.0
Created 17 May 2024
Last Modified 28 October 2024
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1557 Adversary-in-the-Middle NPPSPY opens a new network listener for the mpnotify.exe process that is typically contacted by the Winlogon process in Windows. A new, alternative RPC channel is set up with a malicious DLL recording plaintext credentials entered into Winlogon, effectively intercepting and redirecting the logon information.1
enterprise T1119 Automated Collection NPPSPY collection is automatically recorded to a specified file on the victim machine.1
enterprise T1005 Data from Local System NPPSPY records data entered from the local system logon at Winlogon to capture credentials in cleartext.1
enterprise T1656 Impersonation NPPSPY creates a network listener using the misspelled label logincontroll recorded to the Registry key HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order.1
enterprise T1056 Input Capture NPPSPY captures user input into the Winlogon process by redirecting RPC traffic from legitimate listening DLLs within the operating system to a newly registered malicious item that allows for recording logon information in cleartext.1
enterprise T1112 Modify Registry NPPSPY modifies the Registry to record the malicious listener for output from the Winlogon process.1
enterprise T1552 Unsecured Credentials NPPSPY captures credentials by recording them through an alternative network listener registered to the mpnotify.exe process, allowing for cleartext recording of logon information.1

References

  1. Dray Agha. (2022, August 16). Cleartext Shenanigans: Gifting User Passwords to Adversaries With NPPSPY. Retrieved May 17, 2024. 

  2. Sergey Polak. (2004, August). Capturing Windows Passwords using the Network Provider API. Retrieved May 17, 2024.