TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Gifting User Passwords to Adversaries With NPPSPY | Huntress

2022-08-16 · Read original ↗

ATT&CK techniques detected

11 predictions
T1003.001LSASS Memory
99%
". iocs and behavior - os credential dumping - att & ck t1003 - values under hklm \ system \ currentcontrolset \ control \ networkprovider \ order - for our case : logincontroll - unexplained entries in hklm \ system \ currentcontrolset \ services \ < here > \ networkprovider - fo…"
T1003.001LSASS Memory
89%
"machine and type in your password to authenticate, a bunch of different things are done on the back end with your credentials : hashing, checking, flying back and forth to a domain controller, etc. the conversation between winlogon and local security authority subsystem service (…"
T1078Valid Accounts
69%
"this network provider is attacker - controlled and comes with a backdoored dll the adversary has created. this slippery dll simply listens for this clear text credential exchange from winlogon down to mpnotify and then saves this clear text credential exchange. what did we find i…"
T1003OS Credential Dumping
67%
"this network provider is attacker - controlled and comes with a backdoored dll the adversary has created. this slippery dll simply listens for this clear text credential exchange from winlogon down to mpnotify and then saves this clear text credential exchange. what did we find i…"
T1555Credentials from Password Stores
62%
"seeing a tonne of cleartext usernames and passwords was wild. outstanding oddities you know, something always interesting with investigations is that even when you reach one conclusion, there is always one thread out of place, waiting for you to pull, unravel and get further lost…"
T1003OS Credential Dumping
61%
"gifting user passwords to adversaries with nppspy | huntress while investigating an intrusion, huntress stumbled on something rather fascinating to do with adversarial credential gathering. threat actors are often retrospectively gathering credentials by dumping what ’ s already …"
T1003.001LSASS Memory
61%
"this network provider is attacker - controlled and comes with a backdoored dll the adversary has created. this slippery dll simply listens for this clear text credential exchange from winlogon down to mpnotify and then saves this clear text credential exchange. what did we find i…"
T1003.001LSASS Memory
49%
"we then looked at the compromised system. very satisfyingly, we could account for the exact techniques the threat actor had leveraged. - the network provider in this instance was named logincontroll ( typo intentional ) - it occupied hklm \ system \ currentcontrolset \ control \ …"
T1587Develop Capabilities
37%
"offensive security research helps us defenders stay sharp, and motivate us to constantly improve our tradecraft. those attackers got in somehow, and there are always lessons to learn about hardening defenses and imposing cost on dipsh * t adversaries. techniques like nppspy have …"
T1555.003Credentials from Web Browsers
31%
"squirrel away the user ’ s name and password in an unassuming file. it seems that the community has documented this nppspy technique in theory, but so far it seems like no one has documented when they have encountered it maliciously deployed in the wild. in this article, let ’ s …"
T1003OS Credential Dumping
30%
"we then looked at the compromised system. very satisfyingly, we could account for the exact techniques the threat actor had leveraged. - the network provider in this instance was named logincontroll ( typo intentional ) - it occupied hklm \ system \ currentcontrolset \ control \ …"

Summary

We unravel an investigation that details one way threat actors are able to gather cleartext passwords via NPPSPY.