The hypothesis is that the detection of NPPSpy hacktool usage indicates an adversary is exfiltrating cleartext user passwords from a local file, potentially enabling lateral movement or credential reuse within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate credential theft incidents before they lead to broader compromise.
Detection Rule
title: HackTool - NPPSpy Hacktool Usage
id: cad1fe90-2406-44dc-bd03-59d0b58fe722
status: test
description: Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy
- https://twitter.com/0gtweet/status/1465282548494487554
author: Florian Roth (Nextron Systems)
date: 2021-11-29
modified: 2024-06-27
tags:
- attack.credential-access
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- '\NPPSpy.txt'
- '\NPPSpy.dll'
condition: selection
falsepositives:
- Unknown
level: high
imFileEvent
| where TargetFileName endswith "\\NPPSpy.txt" or TargetFileName endswith "\\NPPSpy.dll"Scenario: System administrators use NppSpy as part of a legitimate network monitoring tool to capture and analyze cleartext passwords during a security audit.
Filter/Exclusion: Exclude processes initiated by the admin user account (username = "admin") or processes running under the Local System account.
Scenario: A scheduled job runs nightly to collect cleartext passwords for auditing purposes using NppSpy.
Filter/Exclusion: Exclude processes that match the scheduled task name (process.name = "AuditPasswordCollector") or have a specific command-line argument (process.args = "--audit-mode").
Scenario: A third-party security tool (e.g., Wireshark or tcpdump) is used to capture network traffic, which includes cleartext passwords, and NppSpy is mistakenly flagged as part of the capture process.
Filter/Exclusion: Exclude processes that are child processes of Wireshark or tcpdump (parent_process.name = "wireshark" OR parent_process.name = "tcpdump").
Scenario: A Windows service is configured to use NppSpy to log user credentials for access control purposes, such as in a legacy authentication system.
Filter/Exclusion: Exclude processes that are running as a Windows service (process.service_name IS NOT NULL) or have a specific service name (process.service_name = "CredentialLoggerService").
Scenario: A development team uses NppSpy to test password handling in a local application, storing cleartext passwords temporarily for debugging.
Filter/Exclusion: Exclude processes that are running from a specific directory (process.cwd = "C:\Dev\PasswordTest") or have a specific command-line argument (process.args = "--debug").