title: Password Filter DLL (T1556.002)
id: df00tech-t1556-002
status: experimental
description: Adversaries may register malicious password filter DLLs to harvest credentials as they are validated. Windows password filters are DLLs that implement password policy enforcement — the LSA calls each registered filter with plaintext credentials before accepting a password change. A malicious filter receives plaintext passwords every time any user changes their password. Threat groups Strider (ProjectSauron/Remsec) and OilRig have deployed this technique against domain controllers.
references:
  - https://attack.mitre.org/techniques/T1556/002/
  - https://df00tech.com/detections/T1556.002
author: df00tech
date: 2026/04/13
tags:
  - attack.t1556.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate enterprise password policy enforcement tools (e.g., Enzoic, nFront Security Password Filter) that register valid password filter DLLs"
  - "Microsoft's own passfilt.dll which is installed by default and listed in Notification Packages"
  - Domain controller software updates or Group Policy enforcement tools that modify LSA security packages
  - "Third-party identity management solutions (e.g., CyberArk, BeyondTrust) that install password interception components"
level: critical