NPPSPY - S1131 (0630d1a7-54da-4a48-a6af-eb8a62b13c17)

NPPSPY is an implementation of a theoretical mechanism first presented in 2004 for capturing credentials submitted to a Windows system via a rogue Network Provider API item. NPPSPY captures credentials following submission and writes them to a file on the victim system for follow-on exfiltration.(Citation: Huntress NPPSPY 2022)(Citation: Polak NPPSPY 2004)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	NPPSPY - S1131 (0630d1a7-54da-4a48-a6af-eb8a62b13c17)	mitre-tool	1
Impersonation - T1656 (c9e0c59e-162e-40a4-b8b1-78fab4329ada)	Attack Pattern	NPPSPY - S1131 (0630d1a7-54da-4a48-a6af-eb8a62b13c17)	mitre-tool	1
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d)	Attack Pattern	NPPSPY - S1131 (0630d1a7-54da-4a48-a6af-eb8a62b13c17)	mitre-tool	1
Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619)	Attack Pattern	NPPSPY - S1131 (0630d1a7-54da-4a48-a6af-eb8a62b13c17)	mitre-tool	1
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	NPPSPY - S1131 (0630d1a7-54da-4a48-a6af-eb8a62b13c17)	mitre-tool	1
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	NPPSPY - S1131 (0630d1a7-54da-4a48-a6af-eb8a62b13c17)	mitre-tool	1
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	NPPSPY - S1131 (0630d1a7-54da-4a48-a6af-eb8a62b13c17)	mitre-tool	1