The sub-techniques beta is now live! Read the release blog post for more info.

Password Filter DLL

Windows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as dynamic link libraries (DLLs) containing a method to validate potential passwords against password policies. Filter DLLs can be positioned on local computers for local accounts and/or domain controllers for domain accounts.

Before registering new passwords in the Security Accounts Manager (SAM), the Local Security Authority (LSA) requests validation from each registered filter. Any potential changes cannot take effect until every registered filter acknowledges validation.

Adversaries can register malicious password filters to harvest credentials from local computers and/or entire domains. To perform proper validation, filters must receive plain-text credentials from the LSA. A malicious password filter would receive these plain-text credentials every time a password request is made. [1]

ID: T1174
Tactic: Credential Access
Platform: Windows
Permissions Required: Administrator, SYSTEM
Data Sources: DLL monitoring, Process monitoring, Windows Registry
Contributors: Vincent Le Toux
Version: 1.0
Created: 16 January 2018
Last Modified: 18 July 2019

Procedure Examples

Name Description

Remsec harvests plain-text credentials as a password filter registered on domain controllers.[2]


Mitigation Description
Operating System Configuration

Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory (C:\Windows\System32\ by default) of a domain controller and/or local computer with a corresponding entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages.


Monitor for change notifications to and from unfamiliar password filters.

Newly installed password filters will not take effect until after a system reboot.

Password filters will show up as an autorun and loaded DLL in lsass.exe. [3]