S1131: NPPSPY

NPPSPY is an implementation of a theoretical mechanism first presented in 2004 for capturing credentials submitted to a Windows system via a rogue Network Provider API item. NPPSPY captures credentials following submission and writes them to a file on the victim system for follow-on exfiltration.[1][2]

EnterpriseS1131ToolObject v1.0 Modified Oct 28, 2024, 19:00 UTC (UTC+00:00)

NPPSPY matters because it targets a high-value business dependency: Windows logon credentials. The supplied ATT&CK description says it captures credentials submitted to a Windows system through a rogue Network Provider API item and writes them to a local file for later exfiltration. For leaders, the practical concern is not just malware presence; it is whether endpoint, identity, and incident response teams can prove they would notice unauthorized credential capture, suspicious registry changes, and local credential-file staging before those credentials are reused elsewhere.

Executive priority

Prioritize NPPSPY as an identity and Windows endpoint assurance issue. It connects credential access and collection behaviors with local data staging, meaning incident decisions may need to include password resets, endpoint containment, registry review, and evidence preservation. Because ATT&CK provides no official detection guidance, executives should ask whether current managed detection, EDR, Windows logging, and IR playbooks can validate registry-based persistence or configuration changes and identify files containing captured credentials without relying on a named-tool signature.

Technical view

Validate coverage around the ATT&CK relationships: Input Capture (T1056), Modify Registry (T1112), Unsecured Credentials (T1552), Data from Local System (T1005), Automated Collection (T1119), Adversary-in-the-Middle (T1557), and Impersonation (T1684.001). For Windows systems, focus on unauthorized Network Provider-related configuration changes, suspicious registry modifications, new or unusual credential-related files written locally, and follow-on collection or exfiltration preparation. Since no official detection text is supplied, detection engineering should be behavior-led and tested against local baselines rather than assuming product coverage.

Likely telemetry

Windows registry auditing and endpoint telemetry for security-relevant configuration changes
EDR process, module, and file-write telemetry on Windows hosts
File creation and modification evidence for unusual local files that may contain credentials
Authentication and identity telemetry to support follow-on credential misuse investigation
Incident response triage artifacts from affected Windows endpoints

Detection direction

Confirm whether registry changes associated with credential capture or Network Provider-related configuration are visible, retained, and alerted on where appropriate.
Tune detections to correlate suspicious registry modification with subsequent file creation or local data collection rather than relying only on a tool name.
Review false positives from legitimate Windows networking or authentication components before escalating broadly.
Ensure SOC playbooks treat suspected local credential capture as an identity incident, not only a host malware alert.
Use the related ATT&CK techniques to hunt for adjacent behavior: local data discovery, automated collection, unsecured credential storage, and possible credential reuse.

Mitigation priorities

Harden administrative control over Windows registry areas that affect authentication and network provider behavior.
Limit local administrative privileges and review who can make security-sensitive endpoint configuration changes.
Maintain endpoint monitoring capable of recording registry changes and suspicious file writes on Windows systems.
Prepare IR procedures for credential exposure, including containment, evidence collection, and coordinated credential reset decisions.
Validate identity controls and logging so stolen credentials can be investigated if follow-on use occurs.

Analyst notes and limits

NPPSPY is listed as a Windows software object in ATT&CK Enterprise. The official object states that it captures submitted credentials through a rogue Network Provider API item and writes them to a victim-system file. The relationship set gives useful defensive context across credential access, collection, registry modification, and local data handling, but ATT&CK does not provide a dedicated detection section for this object.

This take is limited to the supplied ATT&CK fields, references, and relationships. It does not assert active exploitation, specific threat actor use, exact registry paths, filenames, exfiltration methods, or guaranteed detection logic. Local Windows build, logging configuration, EDR visibility, and identity architecture determine practical coverage.

Official MITRE ATT&CK definition

NPPSPY

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 7 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1684.001	Impersonation Sub-technique	NPPSPY creates a network listener using the misspelled label `logincontroll` recorded to the Registry key `HKLM\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order`.CitationHuntress NPPSPY 2022
Enterprise	T1112	Modify Registry	NPPSPY modifies the Registry to record the malicious listener for output from the Winlogon process.CitationHuntress NPPSPY 2022
Enterprise	T1005	Data from Local System	NPPSPY records data entered from the local system logon at Winlogon to capture credentials in cleartext.CitationHuntress NPPSPY 2022
Enterprise	T1557	Adversary-in-the-Middle	NPPSPY opens a new network listener for the `mpnotify.exe` process that is typically contacted by the Winlogon process in Windows. A new, alternative RPC channel is set up with a malicious DLL recording plaintext credentials entered into Winlogon, effectively intercepting and redirecting the logon information.CitationHuntress NPPSPY 2022
Enterprise	T1552	Unsecured Credentials	NPPSPY captures credentials by recording them through an alternative network listener registered to the `mpnotify.exe` process, allowing for cleartext recording of logon information.CitationHuntress NPPSPY 2022
Enterprise	T1056	Input Capture	NPPSPY captures user input into the Winlogon process by redirecting RPC traffic from legitimate listening DLLs within the operating system to a newly registered malicious item that allows for recording logon information in cleartext.CitationHuntress NPPSPY 2022
Enterprise	T1119	Automated Collection	NPPSPY collection is automatically recorded to a specified file on the victim machine.CitationHuntress NPPSPY 2022

Relationship explorer

All related ATT&CK context

uses · Technique T1684.001: Impersonation Enterprise uses · Technique T1112: Modify Registry Enterprise uses · Technique T1005: Data from Local System Enterprise uses · Technique T1557: Adversary-in-the-Middle Enterprise uses · Technique T1552: Unsecured Credentials Enterprise uses · Technique T1056: Input Capture Enterprise uses · Technique T1119: Automated Collection Enterprise

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: May 17, 2024, 18:49 UTC (UTC+00:00)
Modified: Oct 28, 2024, 19:00 UTC (UTC+00:00)
Raw hash: a83b88a44151c456...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 28, 2024, 19:00 UTC (UTC+00:00)	Current bundle	`a83b88a44151…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Huntress NPPSPY 2022

Dray Agha. (2022, August 16). Cleartext Shenanigans: Gifting User Passwords to Adversaries With NPPSPY. Retrieved May 17, 2024.
Open source URL
[2]
Polak NPPSPY 2004

Sergey Polak. (2004, August). Capturing Windows Passwords using the Network Provider API. Retrieved May 17, 2024.
Open source URL
[3]
mitre-attack S1131
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use