Detect Password Filter DLL in Splunk
Adversaries may register malicious password filter DLLs to harvest credentials as they are validated. Windows password filters are DLLs that implement password policy enforcement — the LSA calls each registered filter with plaintext credentials before accepting a password change. A malicious filter receives plaintext passwords every time any user changes their password. Threat groups Strider (ProjectSauron/Remsec) and OilRig have deployed this technique against domain controllers.
MITRE ATT&CK
- Technique
- T1556 Modify Authentication Process
- Sub-technique
- T1556.002 Password Filter DLL
- Canonical reference
- https://attack.mitre.org/techniques/T1556/002/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=13
TargetObject="*\\Control\\Lsa\\Notification Packages*"
| eval RegistryChange="LSA Notification Packages Modified"
| table _time, host, TargetObject, Details, Image, ProcessId, User, RegistryChange
| sort - _time
| append
[search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
TargetFilename="*\\Windows\\System32\\*.dll"
NOT (Image="*\\msiexec.exe" OR Image="*\\wusa.exe" OR Image="*\\TrustedInstaller.exe" OR Image="*\\svchost.exe" OR Image="*\\System32\\poqexec.exe")
| table _time, host, TargetFilename, Image, CommandLine, User]
| sort - _timeDetects password filter DLL installation using Sysmon Event ID 13 (Registry Value Set) for changes to the LSA Notification Packages key, combined with Sysmon Event ID 11 (File Create) for unexpected DLL drops into System32 by non-system processes. Both events together indicate a password filter DLL being planted and registered.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate password complexity enforcement DLLs registered by enterprise security tools
- Windows Update installing passfilt.dll or related security components
- Enterprise identity management tools installing password policy enforcement components
- Security software updates that modify Notification Packages
Other platforms for T1556.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Register a Benign Password Filter DLL
Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject=HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages, Details containing 'TestPasswordFilter'. Security Event ID 4657 (registry value modified) if object access auditing is enabled.
- Test 2Drop a DLL File in System32 from Non-System Process
Expected signal: Sysmon Event ID 11 (File Create): TargetFilename=C:\Windows\System32\testpwdfilter.dll, Image=cmd.exe or powershell.exe. Security Event ID 4663 if file system auditing is enabled.
- Test 3Query Current LSA Notification Packages (Reconnaissance)
Expected signal: Security Event ID 4656/4663 (registry key access) if object access auditing is enabled. Sysmon Event ID 12 (Registry Key Opened) for HKLM\SYSTEM\CurrentControlSet\Control\Lsa.
References (6)
- https://attack.mitre.org/techniques/T1556/002/
- http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
- https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md
- https://docs.microsoft.com/en-us/windows/win32/secauthn/password-filter-programming-considerations
- https://www.secureworks.com/research/skeleton-key-malware-analysis
Unlock Pro Content
Get the full detection package for T1556.002 including response playbook, investigation guide, and atomic red team tests.