T1556.002 CrowdStrike LogScale · LogScale

Detect Password Filter DLL in CrowdStrike LogScale

Adversaries may register malicious password filter DLLs to harvest credentials as they are validated. Windows password filters are DLLs that implement password policy enforcement — the LSA calls each registered filter with plaintext credentials before accepting a password change. A malicious filter receives plaintext passwords every time any user changes their password. Threat groups Strider (ProjectSauron/Remsec) and OilRig have deployed this technique against domain controllers.

MITRE ATT&CK

Tactic
Credential Access Defense Evasion Persistence
Technique
T1556 Modify Authentication Process
Sub-technique
T1556.002 Password Filter DLL
Canonical reference
https://attack.mitre.org/techniques/T1556/002/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
union(
  {
    #event_simpleName = "RegSetValue"
    | RegObjectName = /(?i).*\\Control\\Lsa$/
    | RegValueName = "Notification Packages"
    | DetectionType := "LSA Notification Packages Modified"
  },
  {
    #event_simpleName = "PeFileWritten"
    | TargetFileName = /(?i).*\\Windows\\System32\\.*\.dll$/
    | ImageFileName != /(?i).*(msiexec|wusa|TrustedInstaller|svchost|poqexec)\.exe$/
    | DetectionType := "Suspicious DLL Written to System32"
  }
)
| table(
    [_time, ComputerName, UserName, #event_simpleName, DetectionType,
     RegObjectName, RegValueName, RegStringValue, TargetFileName,
     ImageFileName, CommandLine]
  )
| sort(field=_time, order=desc)
critical severity high confidence

Detects T1556.002 Password Filter DLL using CrowdStrike Falcon EDR telemetry in LogScale. Uses union to combine RegSetValue events targeting LSA Notification Packages with PeFileWritten events for DLL creation in System32 by non-whitelisted processes. Requires Falcon sensor with registry monitoring and file creation telemetry enabled.

Data Sources

CrowdStrike Falcon EDRCrowdStrike Falcon LogScale (Humio)

Required Tables

Falcon events: RegSetValueFalcon events: PeFileWritten

False Positives & Tuning

  • CrowdStrike Falcon sensor or other EDR products that register protective DLLs in System32 and update Notification Packages as part of LSA protection features — establish a baseline of expected DLL names and authorized process names for your environment
  • Third-party password filter vendors (nFront Security, Enzoic, Specops Software) performing initial installation or product updates on domain controllers — correlate with change management records to distinguish authorized from unauthorized changes
  • Windows Credential Guard enablement or LSA hardening scripts that modify Notification Packages to enforce a known-good baseline — these generate a RegSetValue event matching this detection even when removing rather than adding entries
Download portable Sigma rule (.yml)

Other platforms for T1556.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Register a Benign Password Filter DLL

    Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject=HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages, Details containing 'TestPasswordFilter'. Security Event ID 4657 (registry value modified) if object access auditing is enabled.

  2. Test 2Drop a DLL File in System32 from Non-System Process

    Expected signal: Sysmon Event ID 11 (File Create): TargetFilename=C:\Windows\System32\testpwdfilter.dll, Image=cmd.exe or powershell.exe. Security Event ID 4663 if file system auditing is enabled.

  3. Test 3Query Current LSA Notification Packages (Reconnaissance)

    Expected signal: Security Event ID 4656/4663 (registry key access) if object access auditing is enabled. Sysmon Event ID 12 (Registry Key Opened) for HKLM\SYSTEM\CurrentControlSet\Control\Lsa.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1556.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1556Modify Authentication Process

Related Sub-techniques

T1556.001Domain Controller AuthenticationT1556.003Pluggable Authentication ModulesT1556.004Network Device AuthenticationT1556.005Reversible EncryptionT1556.006Multi-Factor AuthenticationT1556.007Hybrid IdentityT1556.008Network Provider DLLT1556.009Conditional Access Policies

Related Techniques

T1556Modify Authentication ProcessT1547.005Security Support ProviderT1056.001KeyloggingT1003OS Credential DumpingT1574.001DLLT1068Exploitation for Privilege Escalation

Same Tactic: Credential Access

Popular Detections