{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/ica-client/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender XDR","ICA Client","SARemediation","Endpoint Connect"],"_cs_severities":["medium"],"_cs_tags":["credential-access","persistence","registry-modification"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Citrix","Dell","CheckPoint"],"content_html":"\u003cp\u003eAttackers may modify the network logon provider registry to gain persistence or access credentials. This involves registering a rogue network logon provider module that intercepts authentication credentials in clear text during user logon. The modification of the ProviderPath key under the NetworkProvider service registry path can be indicative of this malicious activity. The registry modification is often performed by non-system accounts and the adversary will attempt to hide the malicious DLL by placing it in common directories. This technique allows adversaries to steal user credentials or maintain persistent access to the compromised system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, possibly through exploiting a vulnerability or using compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to obtain the necessary permissions to modify the registry.\u003c/li\u003e\n\u003cli\u003eThe attacker locates the registry key related to network logon providers: \u003ccode\u003eHKLM\\SYSTEM\\CurrentControlSet\\Services\\*\\NetworkProvider\\ProviderPath\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eProviderPath\u003c/code\u003e registry value to point to a malicious DLL.\u003c/li\u003e\n\u003cli\u003eThe system loads the malicious DLL during the logon process.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL intercepts user credentials in clear text.\u003c/li\u003e\n\u003cli\u003eThe attacker harvests the intercepted credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the harvested credentials for lateral movement or further exploitation of the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the compromise of user credentials, allowing attackers to gain unauthorized access to sensitive systems and data. Modification of the network logon provider registry enables attackers to maintain persistent access to the compromised system, even after a reboot. This can result in data breaches, financial losses, and reputational damage. The severity depends on the level of access granted to the compromised accounts and the sensitivity of the data they can access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor registry modifications to the \u003ccode\u003eHKLM\\SYSTEM\\CurrentControlSet\\Services\\*\\NetworkProvider\\ProviderPath\u003c/code\u003e key, using the provided Sigma rule to detect suspicious changes.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture registry modifications.\u003c/li\u003e\n\u003cli\u003eRegularly audit network logon providers and verify the integrity and authenticity of the registered DLLs.\u003c/li\u003e\n\u003cli\u003eInvestigate processes modifying the registry and their associated file creation events for unknown or suspicious processes.\u003c/li\u003e\n\u003cli\u003eBlock execution of unsigned or untrusted DLLs in the network logon provider path.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Network Logon Provider Registry Modification\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-network-logon-provider-modification/","summary":"Adversaries may modify the network logon provider registry to register a rogue network logon provider module for persistence and credential access by intercepting authentication credentials in clear text during user logon.","title":"Network Logon Provider Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-network-logon-provider-modification/"}],"language":"en","title":"CraftedSignal Threat Feed — ICA Client","version":"https://jsonfeed.org/version/1.1"}