T1556.002 Google Chronicle · YARA-L

Detect Password Filter DLL in Google Chronicle

Adversaries may register malicious password filter DLLs to harvest credentials as they are validated. Windows password filters are DLLs that implement password policy enforcement — the LSA calls each registered filter with plaintext credentials before accepting a password change. A malicious filter receives plaintext passwords every time any user changes their password. Threat groups Strider (ProjectSauron/Remsec) and OilRig have deployed this technique against domain controllers.

MITRE ATT&CK

Tactic
Credential Access Defense Evasion Persistence
Technique
T1556 Modify Authentication Process
Sub-technique
T1556.002 Password Filter DLL
Canonical reference
https://attack.mitre.org/techniques/T1556/002/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1556_002_password_filter_dll_registration {
  meta:
    author = "Detection Engineering"
    description = "Detects registration of a Password Filter DLL via modification of the Windows LSA Notification Packages registry key (T1556.002). Malicious filters receive plaintext credentials on every domain password change. Associated with Strider/ProjectSauron and OilRig threat actors targeting domain controllers."
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1556.002"
    mitre_attack_technique_name = "Modify Authentication Process: Password Filter DLL"
    severity = "CRITICAL"
    confidence = "HIGH"
    platform = "Windows"
    data_source = "Sysmon, Windows Endpoint"
    version = "1.0"

  events:
    $e.metadata.event_type = "REGISTRY_MODIFICATION"
    re.regex($e.target.registry.registry_key,
      `(?i)\\(CurrentControlSet|ControlSet001|ControlSet002)\\Control\\Lsa`)
    $e.target.registry.registry_value_name = "Notification Packages"
    $e.principal.hostname = $hostname

  condition:
    $e
}
critical severity high confidence

Chronicle YARA-L 2.0 rule detecting modification of the Windows LSA Notification Packages registry key — the definitive mechanism for registering Password Filter DLLs. Targets the registry-write phase of T1556.002. A companion rule for DLL file creation in System32 by non-installer processes is recommended for full technique coverage.

Data Sources

Google Chronicle SIEMChronicle Forwarder (Windows Event / Sysmon)Chronicle UDM normalized events

Required Tables

UDM Events (REGISTRY_MODIFICATION event type)

False Positives & Tuning

  • Legitimate enterprise password filter software installations (nFront, Enzoic, SpecOps) adding their DLL name to Notification Packages on domain controllers — validate by comparing the added DLL name against known vendor DLL names and verifying digital signature
  • Domain administrator configuration scripts or GPO enforcement that explicitly sets Notification Packages to a known-good list — fires on every enforcement action even when the content is net-unchanged
  • Third-party identity security platforms (CyberArk, SailPoint, Saviynt) that register credential hook DLLs during agent installation or update cycles on privileged hosts
Download portable Sigma rule (.yml)

Other platforms for T1556.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Register a Benign Password Filter DLL

    Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject=HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages, Details containing 'TestPasswordFilter'. Security Event ID 4657 (registry value modified) if object access auditing is enabled.

  2. Test 2Drop a DLL File in System32 from Non-System Process

    Expected signal: Sysmon Event ID 11 (File Create): TargetFilename=C:\Windows\System32\testpwdfilter.dll, Image=cmd.exe or powershell.exe. Security Event ID 4663 if file system auditing is enabled.

  3. Test 3Query Current LSA Notification Packages (Reconnaissance)

    Expected signal: Security Event ID 4656/4663 (registry key access) if object access auditing is enabled. Sysmon Event ID 12 (Registry Key Opened) for HKLM\SYSTEM\CurrentControlSet\Control\Lsa.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1556.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1556Modify Authentication Process

Related Sub-techniques

T1556.001Domain Controller AuthenticationT1556.003Pluggable Authentication ModulesT1556.004Network Device AuthenticationT1556.005Reversible EncryptionT1556.006Multi-Factor AuthenticationT1556.007Hybrid IdentityT1556.008Network Provider DLLT1556.009Conditional Access Policies

Related Techniques

T1556Modify Authentication ProcessT1547.005Security Support ProviderT1056.001KeyloggingT1003OS Credential DumpingT1574.001DLLT1068Exploitation for Privilege Escalation

Same Tactic: Credential Access

Popular Detections