T1556.002 Password Filter DLL Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let PasswordFilterRegistryKeys = dynamic([
  @"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages",
  @"HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages"
]);
let RegistryChanges = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has "Control\\Lsa" and RegistryValueName =~ "Notification Packages"
| project Timestamp, DeviceName, AccountName, ActionType, RegistryKey,
          RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine;
let DLLsInSystem32 = DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath =~ @"C:\Windows\System32"
| where FileName endswith ".dll"
| where InitiatingProcessFileName !in~ ("msiexec.exe", "wusa.exe", "TrustedInstaller.exe", "svchost.exe")
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName,
          InitiatingProcessCommandLine, SHA256;
union RegistryChanges, DLLsInSystem32
| sort by Timestamp desc

critical severity high confidence

Data Sources

Windows Registry: Registry Key Modification File: File Creation Microsoft Defender for Endpoint

Required Tables

DeviceRegistryEvents DeviceFileEvents

False Positives

Legitimate enterprise password policy enforcement tools (e.g., Enzoic, nFront Security Password Filter) that register valid password filter DLLs
Microsoft's own passfilt.dll which is installed by default and listed in Notification Packages
Domain controller software updates or Group Policy enforcement tools that modify LSA security packages
Third-party identity management solutions (e.g., CyberArk, BeyondTrust) that install password interception components

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=13
  TargetObject="*\\Control\\Lsa\\Notification Packages*"
| eval RegistryChange="LSA Notification Packages Modified"
| table _time, host, TargetObject, Details, Image, ProcessId, User, RegistryChange
| sort - _time
| append
  [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
   TargetFilename="*\\Windows\\System32\\*.dll"
   NOT (Image="*\\msiexec.exe" OR Image="*\\wusa.exe" OR Image="*\\TrustedInstaller.exe" OR Image="*\\svchost.exe" OR Image="*\\System32\\poqexec.exe")
  | table _time, host, TargetFilename, Image, CommandLine, User]
| sort - _time

critical severity high confidence

Data Sources

Windows Registry: Registry Value Set File: File Creation Sysmon Event ID 13 Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate password complexity enforcement DLLs registered by enterprise security tools
Windows Update installing passfilt.dll or related security components
Enterprise identity management tools installing password policy enforcement components
Security software updates that modify Notification Packages

Elastic Security (EQL)

eql

any where
  (
    event.category == "registry" and
    event.type in ("change", "creation") and
    (
      registry.path : "*\\Control\\Lsa\\Notification Packages" or
      (registry.key : "*\\Control\\Lsa" and registry.value : "Notification Packages")
    )
  )
  or
  (
    event.category == "file" and
    event.type == "creation" and
    file.path : "C:\\Windows\\System32\\*.dll" and
    not process.name : ("msiexec.exe", "wusa.exe", "TrustedInstaller.exe",
                        "svchost.exe", "poqexec.exe", "MsMpEng.exe")
  )

critical severity high confidence

Data Sources

Elastic Endpoint Security Elastic Agent (windows integration) Winlogbeat with Sysmon

Required Tables

logs-endpoint.events.registry-* logs-endpoint.events.file-* logs-windows.*

False Positives

Third-party enterprise password policy enforcement products (e.g., nFront Password Filter, Enzoic for Active Directory, SpecOps Password Policy) that legitimately register DLLs under Notification Packages on domain controllers during installation or upgrades
Enterprise PAM/privileged identity solutions (CyberArk CPM, BeyondTrust) that install credential hooks in System32 and register with LSA as part of their deployment or agent updates
Windows in-place upgrades or cumulative update packages where Windows servicing processes create new DLLs in System32 during major OS feature updates — edge cases may exist outside the standard installer process allowlist

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  LOGSOURCETYPENAME(devicetype) AS LogSourceType,
  hostname,
  username,
  "EventID",
  "TargetObject",
  "Details",
  "TargetFilename",
  "Image",
  "CommandLine"
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) = 12
  AND (
    (
      "EventID" = '13'
      AND "TargetObject" ILIKE '%\\Control\\Lsa\\Notification Packages%'
    )
    OR
    (
      "EventID" = '11'
      AND "TargetFilename" ILIKE '%\\Windows\\System32\\%.dll'
      AND "Image" NOT ILIKE '%\\msiexec.exe'
      AND "Image" NOT ILIKE '%\\wusa.exe'
      AND "Image" NOT ILIKE '%\\TrustedInstaller.exe'
      AND "Image" NOT ILIKE '%\\svchost.exe'
      AND "Image" NOT ILIKE '%\\poqexec.exe'
    )
  )
ORDER BY starttime DESC
LAST 24 HOURS

critical severity high confidence

Data Sources

IBM QRadar SIEM Microsoft Windows Security Event Log (Sysmon via WinCollect or Universal DSM)

Required Tables

events

False Positives

Legitimate password filter products (nFront, Enzoic, SpecOps) registering their DLLs in Notification Packages during installation or version upgrades on Windows domain controllers
Security agent installations from endpoint protection vendors that write DLLs to System32 as part of LSA protection or credential guard features during initial deployment
Domain controller patching via WSUS or SCCM where Windows Update delivers DLL updates through processes not present in the exclusion list during staged or out-of-band patching cycles

Sumo Logic CSE

sql

(_sourceCategory=*windows*sysmon* OR _sourceCategory=*endpoint*sysmon*)
| parse "<EventID>*</EventID>" as EventID nodrop
| parse "<Data Name='TargetObject'>*</Data>" as TargetObject nodrop
| parse "<Data Name='Details'>*</Data>" as RegDetails nodrop
| parse "<Data Name='TargetFilename'>*</Data>" as TargetFilename nodrop
| parse "<Data Name='Image'>*</Data>" as Image nodrop
| parse "<Data Name='CommandLine'>*</Data>" as CommandLine nodrop
| parse "<Data Name='User'>*</Data>" as SysmonUser nodrop
| where
  (EventID = "13" and TargetObject matches "*\\Control\\Lsa\\Notification Packages*")
  or
  (EventID = "11"
   and TargetFilename matches "*\\Windows\\System32\\*.dll"
   and NOT (Image matches "*\\msiexec.exe"
     or Image matches "*\\wusa.exe"
     or Image matches "*\\TrustedInstaller.exe"
     or Image matches "*\\svchost.exe"
     or Image matches "*\\poqexec.exe"))
| if (EventID = "13", "LSA Notification Packages Modified", "Suspicious DLL Written to System32") as DetectionType
| fields _time, _sourceHost, EventID, DetectionType, TargetObject, TargetFilename, Image, CommandLine, SysmonUser
| sort by _time desc

critical severity high confidence

Data Sources

Sumo Logic Installed Collector (Windows) Sysmon (Microsoft-Windows-Sysmon/Operational channel)

Required Tables

_sourceCategory matching *windows*sysmon* or *endpoint*sysmon*

False Positives

Enterprise password policy enforcement product installations (Enzoic for AD, nFront Password Filter, SpecOps) modifying Notification Packages during normal setup on domain controllers — validate DLL name added against vendor documentation and digital signature
EDR/AV vendors writing DLLs to System32 during initial agent deployment or engine updates, particularly vendors that integrate at the LSA or credential provider level
Automated configuration management tools (Ansible, Puppet, Chef DSC) that enforce the Notification Packages registry value during periodic compliance runs, triggering a registry write event even when the net content is unchanged

Google Chronicle / SecOps

yaral

rule t1556_002_password_filter_dll_registration {
  meta:
    author = "Detection Engineering"
    description = "Detects registration of a Password Filter DLL via modification of the Windows LSA Notification Packages registry key (T1556.002). Malicious filters receive plaintext credentials on every domain password change. Associated with Strider/ProjectSauron and OilRig threat actors targeting domain controllers."
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1556.002"
    mitre_attack_technique_name = "Modify Authentication Process: Password Filter DLL"
    severity = "CRITICAL"
    confidence = "HIGH"
    platform = "Windows"
    data_source = "Sysmon, Windows Endpoint"
    version = "1.0"

  events:
    $e.metadata.event_type = "REGISTRY_MODIFICATION"
    re.regex($e.target.registry.registry_key,
      `(?i)\\(CurrentControlSet|ControlSet001|ControlSet002)\\Control\\Lsa`)
    $e.target.registry.registry_value_name = "Notification Packages"
    $e.principal.hostname = $hostname

  condition:
    $e
}

critical severity high confidence

Data Sources

Google Chronicle SIEM Chronicle Forwarder (Windows Event / Sysmon) Chronicle UDM normalized events

Required Tables

UDM Events (REGISTRY_MODIFICATION event type)

False Positives

Legitimate enterprise password filter software installations (nFront, Enzoic, SpecOps) adding their DLL name to Notification Packages on domain controllers — validate by comparing the added DLL name against known vendor DLL names and verifying digital signature
Domain administrator configuration scripts or GPO enforcement that explicitly sets Notification Packages to a known-good list — fires on every enforcement action even when the content is net-unchanged
Third-party identity security platforms (CyberArk, SailPoint, Saviynt) that register credential hook DLLs during agent installation or update cycles on privileged hosts

CrowdStrike LogScale (CQL)

cql

union(
  {
    #event_simpleName = "RegSetValue"
    | RegObjectName = /(?i).*\\Control\\Lsa$/
    | RegValueName = "Notification Packages"
    | DetectionType := "LSA Notification Packages Modified"
  },
  {
    #event_simpleName = "PeFileWritten"
    | TargetFileName = /(?i).*\\Windows\\System32\\.*\.dll$/
    | ImageFileName != /(?i).*(msiexec|wusa|TrustedInstaller|svchost|poqexec)\.exe$/
    | DetectionType := "Suspicious DLL Written to System32"
  }
)
| table(
    [_time, ComputerName, UserName, #event_simpleName, DetectionType,
     RegObjectName, RegValueName, RegStringValue, TargetFileName,
     ImageFileName, CommandLine]
  )
| sort(field=_time, order=desc)

critical severity high confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike Falcon LogScale (Humio)

Required Tables

Falcon events: RegSetValue Falcon events: PeFileWritten

False Positives

CrowdStrike Falcon sensor or other EDR products that register protective DLLs in System32 and update Notification Packages as part of LSA protection features — establish a baseline of expected DLL names and authorized process names for your environment
Third-party password filter vendors (nFront Security, Enzoic, Specops Software) performing initial installation or product updates on domain controllers — correlate with change management records to distinguish authorized from unauthorized changes
Windows Credential Guard enablement or LSA hardening scripts that modify Notification Packages to enforce a known-good baseline — these generate a RegSetValue event matching this detection even when removing rather than adding entries

Password Filter DLL

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections