← Back to Explore
T1556.008
Network Provider DLL
Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process. Network provider DLLs allow Windows to interface with specific network protocols and can also support add-on credential management functions.(Citation: Network Provider API) During the logon process, Winlogon (the interactive logon module) sends credentials to the local `mpnotify.exe` process via RPC. The `mpnotify.exe` process then shares the...
Windows
1
Detections
1
Sources
0
Threat Actors
BY SOURCE
1elastic
PROCEDURES (1)
Registry Monitoring1 detections
Auto-extracted: 1 detections for registry monitoring