Detect Password Filter DLL in Elastic Security
Adversaries may register malicious password filter DLLs to harvest credentials as they are validated. Windows password filters are DLLs that implement password policy enforcement — the LSA calls each registered filter with plaintext credentials before accepting a password change. A malicious filter receives plaintext passwords every time any user changes their password. Threat groups Strider (ProjectSauron/Remsec) and OilRig have deployed this technique against domain controllers.
MITRE ATT&CK
- Technique
- T1556 Modify Authentication Process
- Sub-technique
- T1556.002 Password Filter DLL
- Canonical reference
- https://attack.mitre.org/techniques/T1556/002/
Elastic Detection Query
any where
(
event.category == "registry" and
event.type in ("change", "creation") and
(
registry.path : "*\\Control\\Lsa\\Notification Packages" or
(registry.key : "*\\Control\\Lsa" and registry.value : "Notification Packages")
)
)
or
(
event.category == "file" and
event.type == "creation" and
file.path : "C:\\Windows\\System32\\*.dll" and
not process.name : ("msiexec.exe", "wusa.exe", "TrustedInstaller.exe",
"svchost.exe", "poqexec.exe", "MsMpEng.exe")
)Detects T1556.002 Password Filter DLL via two signals: (1) modification of the LSA Notification Packages registry key used to register password filter DLLs, and (2) creation of DLL files in C:\Windows\System32\ by non-installer processes. Covers both the registry staging and DLL drop phases of the technique.
Data Sources
Required Tables
False Positives & Tuning
- Third-party enterprise password policy enforcement products (e.g., nFront Password Filter, Enzoic for Active Directory, SpecOps Password Policy) that legitimately register DLLs under Notification Packages on domain controllers during installation or upgrades
- Enterprise PAM/privileged identity solutions (CyberArk CPM, BeyondTrust) that install credential hooks in System32 and register with LSA as part of their deployment or agent updates
- Windows in-place upgrades or cumulative update packages where Windows servicing processes create new DLLs in System32 during major OS feature updates — edge cases may exist outside the standard installer process allowlist
Other platforms for T1556.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Register a Benign Password Filter DLL
Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject=HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages, Details containing 'TestPasswordFilter'. Security Event ID 4657 (registry value modified) if object access auditing is enabled.
- Test 2Drop a DLL File in System32 from Non-System Process
Expected signal: Sysmon Event ID 11 (File Create): TargetFilename=C:\Windows\System32\testpwdfilter.dll, Image=cmd.exe or powershell.exe. Security Event ID 4663 if file system auditing is enabled.
- Test 3Query Current LSA Notification Packages (Reconnaissance)
Expected signal: Security Event ID 4656/4663 (registry key access) if object access auditing is enabled. Sysmon Event ID 12 (Registry Key Opened) for HKLM\SYSTEM\CurrentControlSet\Control\Lsa.
References (6)
- https://attack.mitre.org/techniques/T1556/002/
- http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
- https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md
- https://docs.microsoft.com/en-us/windows/win32/secauthn/password-filter-programming-considerations
- https://www.secureworks.com/research/skeleton-key-malware-analysis
Unlock Pro Content
Get the full detection package for T1556.002 including response playbook, investigation guide, and atomic red team tests.