T1556.008: Network Provider DLL

Network Provider DLL is a Windows authentication-process abuse technique where a malicious registered network provider/credential manager DLL can receive cleartext credentials during logon. The business issue is not just malware persistence; it is potential credential exposure at the point employees or administrators authenticate, especially on systems with frequent or privileged logons such as servers and domain controllers.

Executive priority

Prioritize this as an identity and Windows hardening risk. Leaders should ask whether sensitive Windows systems have controlled registry permissions, audited authentication-related configuration, and monitoring for unexpected network provider DLL registration. For incident response, the key decision value is whether a compromised host could have captured credentials after installation, which may require credential reset and scope decisions based on actual logon activity.

Technical view

This is a Windows sub-technique of Modify Authentication Process with persistence, credential-access, and defense-impairment relevance. Validate visibility into registry changes used to install network provider or credential manager DLLs, DLL presence and loading around logon activity, and logon events on high-value systems. ATT&CK provides no official detection text for this object, but the relationship to DET0580 indicates detection should focus on Network Provider DLL registration and credential capture behavior. Treat servers and domain controllers as higher-priority review targets because the ATT&CK description notes adversaries may target systems with increased or administrator logon activity.

Likely telemetry

Windows registry auditing for network provider or credential manager registration changes
File creation or modification telemetry for DLLs referenced by authentication-related registry configuration
Process and module-load telemetry involving Windows logon-related components such as Winlogon and mpnotify.exe where available
Windows logon events, especially privileged or administrator logons on servers and domain controllers
Endpoint detection and response alerts or inventory showing newly registered or unusual credential-management components

Detection direction

Baseline expected registered network provider and credential manager DLLs on Windows systems, then alert on additions or changes outside approved software deployment activity.
Correlate suspicious registration changes with subsequent user or administrator logons to assess credential exposure window.
Tune for legitimate enterprise software that registers network providers or credential managers to reduce false positives, but require change evidence and ownership for any exception.
Prioritize high-value Windows assets with frequent privileged logons; lack of registry auditing or module-load visibility is a material blind spot.
Use the related DET0580 detection strategy as the ATT&CK-supported direction, while validating locally because this object has no official detection section.

Mitigation priorities

Restrict permissions on sensitive registry locations used for authentication-related provider registration, aligning with M1024 Restrict Registry Permissions.
Harden Windows operating system configuration so unused or unnecessary authentication/provider features and components are minimized, aligning with M1028 Operating System Configuration.
Implement and regularly review auditing for authentication configuration, registry changes, and high-value host logon activity, aligning with M1047 Audit.
Maintain approved baselines for registered providers on servers and domain controllers, and investigate drift before relying on credential resets alone.
During incident response, use host timeline and logon evidence to determine which accounts authenticated after suspicious registration and may need protective action.

Analyst notes and limits

The supplied ATT&CK object supports Windows-only coverage and ties the behavior to credential access, persistence, and defense impairment. The most important defensive question is whether the organization can prove who changed authentication-related registry configuration and which users logged on afterward.

MITRE did not provide an official detection narrative for this technique in the supplied fields. Specific registry paths, event IDs, vendor detections, exploitation frequency, and attribution are not included here and should be validated against local Windows baselines and telemetry.

Official MITRE ATT&CK definition

Network Provider DLL

Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process. Network provider DLLs allow Windows to interface with specific network protocols and can also support add-on credential management functions.[1] During the logon process, Winlogon (the interactive logon module) sends credentials to the local `mpnotify.exe` process via RPC. The `mpnotify.exe` process then shares the credentials in cleartext with registered credential managers when notifying that a logon event is happening.[2][3][4]

Adversaries can configure a malicious network provider DLL to receive credentials from `mpnotify.exe`.[5] Once installed as a credential manager (via the Registry), a malicious DLL can receive and save credentials each time a user logs onto a Windows workstation or domain via the `NPLogonNotify()` function.[4]

Adversaries may target planting malicious network provider DLLs on systems known to have increased logon activity and/or administrator logon activity, such as servers and domain controllers.[2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1556	Modify Authentication Process	This object subtechnique of Modify Authentication Process.

Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1024: Restrict Registry Permissions Enterprise subtechnique of · Technique T1556: Modify Authentication Process Enterprise mitigates · Mitigation M1047: Audit Enterprise mitigates · Mitigation M1028: Operating System Configuration Enterprise detects · Detection Strategy DET0580: Detect Network Provider DLL Registration and Credential Capture Enterprise

Mitigations

Mitigation direction

M1024: Restrict Registry Permissions

Restricting registry permissions involves configuring access control settings for sensitive registry keys and hives to ensure that only authorized users or processes can make modifications. By limiting access, organizations can prevent unauthorized changes that adversaries might use for persistence, privilege escalation, or defense evasion. This mitigation can be implemented through the following measures:

Review and Adjust Permissions on Critical Keys

- Regularly review permissions on keys such as `Run`, `RunOnce`, and `Services` to ensure only authorized users have write access. - Use tools like `icacls` or `PowerShell` to automate permission adjustments.

Enable Registry Auditing

- Enable auditing on sensitive keys to log access attempts. - Use Event Viewer or SIEM solutions to analyze logs and detect suspicious activity. - Example Audit Policy: `auditpol /set /subcategory:"Registry" /success:enable /failure:enable`

Protect Credential-Related Hives

- Limit access to hives like `SAM`,`SECURITY`, and `SYSTEM` to prevent credential dumping or other unauthorized access. - Use LSA Protection to add an additional security layer for credential storage.

Restrict Registry Editor Usage

- Use Group Policy to restrict access to regedit.exe for non-administrative users. - Block execution of registry editing tools on endpoints where they are unnecessary.

Deploy Baseline Configuration Tools

- Use tools like Microsoft Security Compliance Toolkit or CIS Benchmarks to apply and maintain secure registry configurations.

*Tools for Implementation*

Registry Permission Tools:

- Registry Editor (regedit): Built-in tool to manage registry permissions. - PowerShell: Automate permissions and manage keys. `Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "KeyName" -Value "Value"` - icacls: Command-line tool to modify ACLs.

Monitoring Tools:

- Sysmon: Monitor and log registry events. - Event Viewer: View registry access logs.

Policy Management Tools:

- Group Policy Management Console (GPMC): Enforce registry permissions via GPOs. - Microsoft Endpoint Manager: Deploy configuration baselines for registry permissions.

M1047: Audit

Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements. The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures.

Auditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.This mitigation can be implemented through the following measures:

System Audit:

- Use Case: Regularly assess system configurations to ensure compliance with organizational security policies. - Implementation: Use tools to scan for deviations from established benchmarks.

Permission Audits:

- Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation. - Implementation: Run access reviews to identify users or groups with excessive permissions.

Software Audits:

- Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector. - Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives.

Configuration Audits:

- Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA). - Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems.

Network Audits:

- Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections. - Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.

M1028: Operating System Configuration

Operating System Configuration involves adjusting system settings and hardening the default configurations of an operating system (OS) to mitigate adversary exploitation and prevent abuse of system functionality. Proper OS configurations address security vulnerabilities, limit attack surfaces, and ensure robust defense against a wide range of techniques. This mitigation can be implemented through the following measures:

Disable Unused Features:

- Turn off SMBv1, LLMNR, and NetBIOS where not needed. - Disable remote registry and unnecessary services.

Enforce OS-level Protections:

- Enable Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Control Flow Guard (CFG) on Windows. - Use AppArmor or SELinux on Linux for mandatory access controls.

Secure Access Settings:

- Enable User Account Control (UAC) for Windows. - Restrict root/sudo access on Linux/macOS and enforce strong permissions using sudoers files.

File System Hardening:

- Implement least-privilege access for critical files and system directories. - Audit permissions regularly using tools like icacls (Windows) or getfacl/chmod (Linux/macOS).

Secure Remote Access:

- Restrict RDP, SSH, and VNC to authorized IPs using firewall rules. - Enable NLA for RDP and enforce strong password/lockout policies.

Harden Boot Configurations:

- Enable Secure Boot and enforce UEFI/BIOS password protection. - Use BitLocker or LUKS to encrypt boot drives.

Regular Audits:

- Periodically audit OS configurations using tools like CIS Benchmarks or SCAP tools.

*Tools for Implementation*

Windows:

- Microsoft Group Policy Objects (GPO): Centrally enforce OS security settings. - Windows Defender Exploit Guard: Built-in OS protection against exploits. - CIS-CAT Pro: Audit Windows security configurations based on CIS Benchmarks.

Linux/macOS:

- AppArmor/SELinux: Enforce mandatory access controls. - Lynis: Perform comprehensive security audits. - SCAP Security Guide: Automate configuration hardening using Security Content Automation Protocol.

Cross-Platform:

- Ansible or Chef/Puppet: Automate configuration hardening at scale. - OpenSCAP: Perform compliance and configuration checks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 2.0
Created: Mar 30, 2023, 22:45 UTC (UTC+00:00)
Modified: May 12, 2026, 15:12 UTC (UTC+00:00)
Raw hash: 3f8e03f99dfa67b7...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	2.0	May 12, 2026, 15:12 UTC (UTC+00:00)	Current bundle	`3f8e03f99dfa…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Network Provider API

Microsoft. (2021, January 7). Network Provider API. Retrieved March 30, 2023.
Open source URL
[2]
NPPSPY - Huntress

Dray Agha. (2022, August 16). Cleartext Shenanigans: Gifting User Passwords to Adversaries With NPPSPY. Retrieved March 30, 2023.
Open source URL
[3]
NPPSPY Video

Grzegorz Tworek. (2021, December 14). How winlogon.exe shares the cleartext password with custom DLLs. Retrieved March 30, 2023.
Open source URL
[4]
NPLogonNotify

Microsoft. (2021, October 21). NPLogonNotify function (npapi.h). Retrieved March 30, 2023.
Open source URL
[5]
NPPSPY

Grzegorz Tworek. (2021, December 15). NPPSpy. Retrieved March 30, 2023.
Open source URL
[6]
mitre-attack T1556.008
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams