T1556.002 Microsoft Sentinel · KQL

Detect Password Filter DLL in Microsoft Sentinel

Adversaries may register malicious password filter DLLs to harvest credentials as they are validated. Windows password filters are DLLs that implement password policy enforcement — the LSA calls each registered filter with plaintext credentials before accepting a password change. A malicious filter receives plaintext passwords every time any user changes their password. Threat groups Strider (ProjectSauron/Remsec) and OilRig have deployed this technique against domain controllers.

MITRE ATT&CK

Tactic
Credential Access Defense Evasion Persistence
Technique
T1556 Modify Authentication Process
Sub-technique
T1556.002 Password Filter DLL
Canonical reference
https://attack.mitre.org/techniques/T1556/002/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let PasswordFilterRegistryKeys = dynamic([
  @"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages",
  @"HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages"
]);
let RegistryChanges = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has "Control\\Lsa" and RegistryValueName =~ "Notification Packages"
| project Timestamp, DeviceName, AccountName, ActionType, RegistryKey,
          RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine;
let DLLsInSystem32 = DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath =~ @"C:\Windows\System32"
| where FileName endswith ".dll"
| where InitiatingProcessFileName !in~ ("msiexec.exe", "wusa.exe", "TrustedInstaller.exe", "svchost.exe")
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName,
          InitiatingProcessCommandLine, SHA256;
union RegistryChanges, DLLsInSystem32
| sort by Timestamp desc
critical severity high confidence

Detects malicious password filter DLL registration by monitoring changes to the LSA Notification Packages registry key (where password filter DLLs are registered) and unexpected DLL drops into System32. Password filter DLLs must reside in System32 and be listed in this registry value to receive plaintext credentials during password changes.

Data Sources

Windows Registry: Registry Key ModificationFile: File CreationMicrosoft Defender for Endpoint

Required Tables

DeviceRegistryEventsDeviceFileEvents

False Positives & Tuning

  • Legitimate enterprise password policy enforcement tools (e.g., Enzoic, nFront Security Password Filter) that register valid password filter DLLs
  • Microsoft's own passfilt.dll which is installed by default and listed in Notification Packages
  • Domain controller software updates or Group Policy enforcement tools that modify LSA security packages
  • Third-party identity management solutions (e.g., CyberArk, BeyondTrust) that install password interception components
Download portable Sigma rule (.yml)

Other platforms for T1556.002

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Register a Benign Password Filter DLL

    Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject=HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages, Details containing 'TestPasswordFilter'. Security Event ID 4657 (registry value modified) if object access auditing is enabled.

  2. Test 2Drop a DLL File in System32 from Non-System Process

    Expected signal: Sysmon Event ID 11 (File Create): TargetFilename=C:\Windows\System32\testpwdfilter.dll, Image=cmd.exe or powershell.exe. Security Event ID 4663 if file system auditing is enabled.

  3. Test 3Query Current LSA Notification Packages (Reconnaissance)

    Expected signal: Security Event ID 4656/4663 (registry key access) if object access auditing is enabled. Sysmon Event ID 12 (Registry Key Opened) for HKLM\SYSTEM\CurrentControlSet\Control\Lsa.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1556.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1556Modify Authentication Process

Related Sub-techniques

T1556.001Domain Controller AuthenticationT1556.003Pluggable Authentication ModulesT1556.004Network Device AuthenticationT1556.005Reversible EncryptionT1556.006Multi-Factor AuthenticationT1556.007Hybrid IdentityT1556.008Network Provider DLLT1556.009Conditional Access Policies

Related Techniques

T1556Modify Authentication ProcessT1547.005Security Support ProviderT1056.001KeyloggingT1003OS Credential DumpingT1574.001DLLT1068Exploitation for Privilege Escalation

Same Tactic: Credential Access

Popular Detections