T1556.002 Sumo Logic CSE · Sumo

Detect Password Filter DLL in Sumo Logic CSE

Adversaries may register malicious password filter DLLs to harvest credentials as they are validated. Windows password filters are DLLs that implement password policy enforcement — the LSA calls each registered filter with plaintext credentials before accepting a password change. A malicious filter receives plaintext passwords every time any user changes their password. Threat groups Strider (ProjectSauron/Remsec) and OilRig have deployed this technique against domain controllers.

MITRE ATT&CK

Tactic
Credential Access Defense Evasion Persistence
Technique
T1556 Modify Authentication Process
Sub-technique
T1556.002 Password Filter DLL
Canonical reference
https://attack.mitre.org/techniques/T1556/002/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory=*windows*sysmon* OR _sourceCategory=*endpoint*sysmon*)
| parse "<EventID>*</EventID>" as EventID nodrop
| parse "<Data Name='TargetObject'>*</Data>" as TargetObject nodrop
| parse "<Data Name='Details'>*</Data>" as RegDetails nodrop
| parse "<Data Name='TargetFilename'>*</Data>" as TargetFilename nodrop
| parse "<Data Name='Image'>*</Data>" as Image nodrop
| parse "<Data Name='CommandLine'>*</Data>" as CommandLine nodrop
| parse "<Data Name='User'>*</Data>" as SysmonUser nodrop
| where
  (EventID = "13" and TargetObject matches "*\\Control\\Lsa\\Notification Packages*")
  or
  (EventID = "11"
   and TargetFilename matches "*\\Windows\\System32\\*.dll"
   and NOT (Image matches "*\\msiexec.exe"
     or Image matches "*\\wusa.exe"
     or Image matches "*\\TrustedInstaller.exe"
     or Image matches "*\\svchost.exe"
     or Image matches "*\\poqexec.exe"))
| if (EventID = "13", "LSA Notification Packages Modified", "Suspicious DLL Written to System32") as DetectionType
| fields _time, _sourceHost, EventID, DetectionType, TargetObject, TargetFilename, Image, CommandLine, SysmonUser
| sort by _time desc
critical severity high confidence

Detects T1556.002 Password Filter DLL via Sysmon event XML parsing in Sumo Logic. Monitors EventID 13 for LSA Notification Packages registry modification and EventID 11 for suspicious DLL creation in System32 by non-whitelisted installer processes. Requires Sysmon log source ingested via Installed Collector.

Data Sources

Sumo Logic Installed Collector (Windows)Sysmon (Microsoft-Windows-Sysmon/Operational channel)

Required Tables

_sourceCategory matching *windows*sysmon* or *endpoint*sysmon*

False Positives & Tuning

  • Enterprise password policy enforcement product installations (Enzoic for AD, nFront Password Filter, SpecOps) modifying Notification Packages during normal setup on domain controllers — validate DLL name added against vendor documentation and digital signature
  • EDR/AV vendors writing DLLs to System32 during initial agent deployment or engine updates, particularly vendors that integrate at the LSA or credential provider level
  • Automated configuration management tools (Ansible, Puppet, Chef DSC) that enforce the Notification Packages registry value during periodic compliance runs, triggering a registry write event even when the net content is unchanged
Download portable Sigma rule (.yml)

Other platforms for T1556.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Register a Benign Password Filter DLL

    Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject=HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages, Details containing 'TestPasswordFilter'. Security Event ID 4657 (registry value modified) if object access auditing is enabled.

  2. Test 2Drop a DLL File in System32 from Non-System Process

    Expected signal: Sysmon Event ID 11 (File Create): TargetFilename=C:\Windows\System32\testpwdfilter.dll, Image=cmd.exe or powershell.exe. Security Event ID 4663 if file system auditing is enabled.

  3. Test 3Query Current LSA Notification Packages (Reconnaissance)

    Expected signal: Security Event ID 4656/4663 (registry key access) if object access auditing is enabled. Sysmon Event ID 12 (Registry Key Opened) for HKLM\SYSTEM\CurrentControlSet\Control\Lsa.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1556.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1556Modify Authentication Process

Related Sub-techniques

T1556.001Domain Controller AuthenticationT1556.003Pluggable Authentication ModulesT1556.004Network Device AuthenticationT1556.005Reversible EncryptionT1556.006Multi-Factor AuthenticationT1556.007Hybrid IdentityT1556.008Network Provider DLLT1556.009Conditional Access Policies

Related Techniques

T1556Modify Authentication ProcessT1547.005Security Support ProviderT1056.001KeyloggingT1003OS Credential DumpingT1574.001DLLT1068Exploitation for Privilege Escalation

Same Tactic: Credential Access

Popular Detections