Windows attacks with Network Provider
However, techniques exist to circumvent both security features. By manipulating the core system, Virtual Secure Mode (VSM) and thus Credential Guard can be disabled, and by loading signed kernel driver, LSA Protection can be deactivated in real time. These techniques harm the integrity of the system and leave obvious traces that can be detected. Are there other techniques to get credentials that have lower requirements and less impact on a systems integrity?
User authentication is a core function of the operating system. The Windows Authentication Architecture contains multiple components that have access to credentials. When users authenticate themselves to the operating system, these components can further process the credentials. An often-used procedure is the caching of credentials in order to authenticate against other systems without users having to enter their usernames and passwords again.
The Security Support Providers (SSP) include Kerberos, NTLM (MSV1), TLS/SSL (Schannel) and Digest (WDigest). The Security Support Provider Interface (SSPI) provides support to easily load additional security modules. The registry key
Security Packages must be extended by the name of the SSPs DLL for this purpose. The key is located under the path
The LSA Protection function can be used to restrict that only SSPs signed by Microsoft are allowed to be loaded – otherwise any DLL can be loaded into the LSASS process. For example, Mimikatz has with mimilib.dll an SSP that can be loaded with administrative rights:
mimikatz(commandline)# privilege::debug Privilege '20' OK mimikatz(commandline)# misc::memssp Injected =)
Alternatively, the file mimilib.dll can be copied into the directory
%WINDIR%\system32 and the
Security Packages registry key must be expanded – if Mimikatz should not be executed on the target system. After the Mimikatz SSP has been loaded, credentials are written to
mimilsa.log after a successful login.
Attacks against LSA and the use of SSPs have been practised for years, so most of the techniques are known, countermeasures are available, and various endpoint systems can detect the attack techniques.
A network provider is a DLL that provides support for specific network protocols. They use the Network Provider API to communicate with the operating system. A network provider can also be a credential manager. They receive a notification when a user logs in, or a password is changed.
Winlogon provides the graphical interface (GUI) and authentication functionality. Winlogon communicates with mpnotify via an RPC channel and communicates usernames and passwords. The mpnotify tool then distributes this information to the registered credential managers. These can be loaded via the registry in the same way as SSPs. The registry key
ProviderOrder under the path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order contains all network provider. The function NPLogonNotify is used to receive credentials as a credential manager.
The security researcher Grzegorz Tworek had written an implementation of the NPLogonNotify function with NPPSpy two years ago in July 2020. NPPSpy stores the username and password of a login in plain text in a log file.
The NPPSpy DLL is copied into the folder
%WINDIR%\system32 with administrative rights. Afterwards, some registry keys must be set and NPPSpy must be registered as a network provider. This can be done with the following PowerShell commands:
$NetworkProviderName = "NPPSpy" New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$NetworkProviderName" New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$NetworkProviderName\NetworkProvider" New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$NetworkProviderName\NetworkProvider" -Name "Class" -Value 2 New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$NetworkProviderName\NetworkProvider" -Name "Name" -Value $NetworkProviderName New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$NetworkProviderName\NetworkProvider" -Name "ProviderPath" -PropertyType ExpandString -Value "%SystemRoot%\System32\$NetworkProviderName.dll" $NetworkProviderPath = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name ProviderOrder $NetworkProviderOrder = $NetworkProviderPath.ProviderOrder + ",$NetworkProviderName" Set-ItemProperty -Path $NetworkProviderPath.PSPath -Name ProviderOrder -Value $NetworkProviderOrder
After that, NPPSpy is active and saves the credentials in the file
C:\NPPSpy.txt every time someone logs in.
The attack requires administrative rights because a DLL file is copied into the Windows system directory and registry entries are created/adjusted. If attacker obtain administrative rights, the attack cannot be prevented directly. Unlike the LSASS process, there are no hardening measures for network providers. The NPPSpy DLL may be detected by an endpoint solution.
To detect the attack, the registry key
HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\ProviderOrder should be monitored for changes. Furthermore, Services that are registered as Network Providers can be monitored. The query suggested in the article Network Logon Provider Registry Modification can be used for Elasticsearch, for example:
registry where registry.data.strings != null and registry.path : "HKL M\\SYSTEM\\*ControlSet*\\Services\\*\\NetworkProvider\\ProviderPath" and /* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */ not ( user.id : "S-1-5-18" and registry.data.strings in ("%SystemRoot%\\System32\\ntlanman.dll", "%SystemRoot%\\System32\\drprov.dll", "%SystemRoot%\\System32\\davclnt.dll") )
In Grzegorz Tworek’s repository there is also the PowerShell script Get-NetworkProviders.ps1, which lists all registered network providers of a system. This is used to analyse the network providers and lists additional information about the respective DLL file, whether it was signed and by whom.
PS C:\> .\Get-NetworkProviders.ps1 Name : RDPNP DllPath : C:\Windows\System32\drprov.dll Signer : CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US Version : 10.0.19041.1 (WinBuild.160101.0800) Description : Microsoft Remote Desktop Session Host Server Network Provider Name : LanmanWorkstation DllPath : C:\Windows\System32\ntlanman.dll Signer : CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US Version : 10.0.19041.1 (WinBuild.160101.0800) Description : Microsoft® Lan Manager Name : webclient DllPath : C:\Windows\System32\davclnt.dll Signer : CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US Version : 10.0.19041.546 (WinBuild.160101.0800) Description : Web DAV Client DLL Name : NPPSpy DllPath : C:\Windows\System32\NPPSPY.dll Signer : Version : Description :
The network provider NPPSpy is suspicious in this case. Attackers can, of course, choose any name, but the missing signature is a suspect indicator.
Attacks against LSAs are widespread and consequently some hardening measures exist to make such attacks more difficult. The complexity and requirements for LSA attacks are constantly increasing. In addition, the extraction of LSA memory is detected and partially blocked by many endpoint solutions. In contrast, attacks using network providers are easy to implement and are much less monitored. Accordingly, defenders should implement suitable detection use cases for network providers. For attackers, network provider are an alternative to still extract credentials. In contrast to an LSA dump, however, attackers do not directly obtain credentials, but must access the log file again at a later time and hope that someone has logged into the system.
Our experts will get in contact with you!
Our experts will get in contact with you!
Further articles available here