1. Home
  2. Techniques
  3. Enterprise
  4. Modify Authentication Process
  5. Password Filter DLL

Modify Authentication Process: Password Filter DLL

ID Name
T1556.001 Domain Controller Authentication
T1556.002 Password Filter DLL
T1556.003 Pluggable Authentication Modules
T1556.004 Network Device Authentication
T1556.005 Reversible Encryption
T1556.006 Multi-Factor Authentication
T1556.007 Hybrid Identity
T1556.008 Network Provider DLL
T1556.009 Conditional Access Policies

Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated.

Windows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as DLLs containing a method to validate potential passwords against password policies. Filter DLLs can be positioned on local computers for local accounts and/or domain controllers for domain accounts. Before registering new passwords in the Security Accounts Manager (SAM), the Local Security Authority (LSA) requests validation from each registered filter. Any potential changes cannot take effect until every registered filter acknowledges validation.

Adversaries can register malicious password filters to harvest credentials from local computers and/or entire domains. To perform proper validation, filters must receive plain-text credentials from the LSA. A malicious password filter would receive these plain-text credentials every time a password request is made.[1]

ID: T1556.002
Sub-technique of:  T1556
Platforms: Windows
Contributors: Vincent Le Toux
Version: 2.1
Created: 11 February 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
G0049 OilRig

OilRig has registered a password filter DLL in order to drop malware.[2]
S0125 Remsec

Remsec harvests plain-text credentials as a password filter registered on domain controllers.[3]
G0041 Strider

Strider has registered its persistence module on domain controllers as a Windows LSA (Local System Authority) password filter to acquire credentials any time a domain, local user, or administrator logs in or changes a password.[3]

Mitigations

ID Mitigation Description
M1028 Operating System Configuration

Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory (C:\Windows\System32\ by default) of a domain controller and/or local computer with a corresponding entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0472 Detect Malicious Password Filter DLL Registration AN1303

Detects suspicious registration of new password filter DLLs into the authentication process. Correlates registry modifications to LSASS Notification Packages with subsequent DLL creation and loading events. Observes anomalous file placement of DLLs in system directories followed by LSASS loading the new filter during logon/password change activity.

References

  1. Fuller, R. (2013, September 11). Stealing passwords every time they change. Retrieved November 21, 2017.
  2. Fahmy, M. et al. (2024, October 11). Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against Middle East. Retrieved November 27, 2024.
  1. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.