Detects suspicious registration of new password filter DLLs into the authentication process. Correlates registry modifications to LSASS Notification Packages with subsequent DLL creation and loading events. Observes anomalous file placement of DLLs in system directories followed by LSASS loading the new filter during logon/password change activity.
| Data Component | Name | Channel |
|---|---|---|
| Windows Registry Key Modification (DC0063) | WinEventLog:Security | EventCode=4657 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Field | Description |
|---|---|
| RegistryPath | Specific registry path monitored for modification (e.g., HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages). |
| AllowedDLLs | Known and approved password filter DLLs; deviations from baseline may indicate malicious injection. |
| TimeWindow | Time window for correlating registry modification, file creation, and module load events. |
| FilePathPatterns | Expected directories for legitimate password filter DLLs; anomalous paths may signal compromise. |