T1556.002 IBM QRadar · QRadar

Detect Password Filter DLL in IBM QRadar

Adversaries may register malicious password filter DLLs to harvest credentials as they are validated. Windows password filters are DLLs that implement password policy enforcement — the LSA calls each registered filter with plaintext credentials before accepting a password change. A malicious filter receives plaintext passwords every time any user changes their password. Threat groups Strider (ProjectSauron/Remsec) and OilRig have deployed this technique against domain controllers.

MITRE ATT&CK

Tactic
Credential Access Defense Evasion Persistence
Technique
T1556 Modify Authentication Process
Sub-technique
T1556.002 Password Filter DLL
Canonical reference
https://attack.mitre.org/techniques/T1556/002/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  LOGSOURCETYPENAME(devicetype) AS LogSourceType,
  hostname,
  username,
  "EventID",
  "TargetObject",
  "Details",
  "TargetFilename",
  "Image",
  "CommandLine"
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) = 12
  AND (
    (
      "EventID" = '13'
      AND "TargetObject" ILIKE '%\\Control\\Lsa\\Notification Packages%'
    )
    OR
    (
      "EventID" = '11'
      AND "TargetFilename" ILIKE '%\\Windows\\System32\\%.dll'
      AND "Image" NOT ILIKE '%\\msiexec.exe'
      AND "Image" NOT ILIKE '%\\wusa.exe'
      AND "Image" NOT ILIKE '%\\TrustedInstaller.exe'
      AND "Image" NOT ILIKE '%\\svchost.exe'
      AND "Image" NOT ILIKE '%\\poqexec.exe'
    )
  )
ORDER BY starttime DESC
LAST 24 HOURS
critical severity high confidence

Detects T1556.002 Password Filter DLL by monitoring Sysmon EventID 13 (Registry Value Set) for modifications to the LSA Notification Packages registry key, and Sysmon EventID 11 (File Create) for suspicious DLL creation in System32 by non-whitelisted processes. LOGSOURCETYPEID 12 corresponds to Microsoft Windows Security Event Log — adjust to match your Sysmon DSM configuration.

Data Sources

IBM QRadar SIEMMicrosoft Windows Security Event Log (Sysmon via WinCollect or Universal DSM)

Required Tables

events

False Positives & Tuning

  • Legitimate password filter products (nFront, Enzoic, SpecOps) registering their DLLs in Notification Packages during installation or version upgrades on Windows domain controllers
  • Security agent installations from endpoint protection vendors that write DLLs to System32 as part of LSA protection or credential guard features during initial deployment
  • Domain controller patching via WSUS or SCCM where Windows Update delivers DLL updates through processes not present in the exclusion list during staged or out-of-band patching cycles
Download portable Sigma rule (.yml)

Other platforms for T1556.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Register a Benign Password Filter DLL

    Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject=HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages, Details containing 'TestPasswordFilter'. Security Event ID 4657 (registry value modified) if object access auditing is enabled.

  2. Test 2Drop a DLL File in System32 from Non-System Process

    Expected signal: Sysmon Event ID 11 (File Create): TargetFilename=C:\Windows\System32\testpwdfilter.dll, Image=cmd.exe or powershell.exe. Security Event ID 4663 if file system auditing is enabled.

  3. Test 3Query Current LSA Notification Packages (Reconnaissance)

    Expected signal: Security Event ID 4656/4663 (registry key access) if object access auditing is enabled. Sysmon Event ID 12 (Registry Key Opened) for HKLM\SYSTEM\CurrentControlSet\Control\Lsa.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1556.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1556Modify Authentication Process

Related Sub-techniques

T1556.001Domain Controller AuthenticationT1556.003Pluggable Authentication ModulesT1556.004Network Device AuthenticationT1556.005Reversible EncryptionT1556.006Multi-Factor AuthenticationT1556.007Hybrid IdentityT1556.008Network Provider DLLT1556.009Conditional Access Policies

Related Techniques

T1556Modify Authentication ProcessT1547.005Security Support ProviderT1056.001KeyloggingT1003OS Credential DumpingT1574.001DLLT1068Exploitation for Privilege Escalation

Same Tactic: Credential Access

Popular Detections