Description
Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated.
Windows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as DLLs containing a method to validate potential passwords against password policies. Filter DLLs can be positioned on local computers for local accounts and/or domain controllers for domain accounts. Before registering new passwords in the Security Accounts Manager (SAM), the Local Security Authority (LSA) requests validation from each registered filter. Any potential changes cannot take effect until every registered filter acknowledges validation.
Adversaries can register malicious password filters to harvest credentials from local computers and/or entire domains. To perform proper validation, filters must receive plain-text credentials from the LSA. A malicious password filter would receive these plain-text credentials every time a password request is made.(Citation: Carnal Ownage Password Filters Sept 2013)
Platforms
Mitigations (1)
Operating System ConfigurationM1028
Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory (C:\Windows\System32\ by default) of a domain controller and/or local computer with a corresponding entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages.
Threat Groups (3)
| ID | Group | Context |
|---|---|---|
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has registered a password filter DLL in order to drop malware.(Citation: Trend Micro Earth Simnavaz Oc... |
| G0041 | Strider | [Strider](https://attack.mitre.org/groups/G0041) has registered its persistence module on domain controllers as a Windows LSA (Local System Authority)... |
| G1054 | MirrorFace | [MirrorFace](https://attack.mitre.org/groups/G1054) has used a tool named MRSAStealer as a password filter to collect credentials on password changes.... |
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S0125 | Remsec | Malware | [Remsec](https://attack.mitre.org/software/S0125) harvests plain-text credentials as a password filter registered on domain controllers.(Citation: Kas... |
References
Frequently Asked Questions
What is T1556.002 (Password Filter DLL)?
T1556.002 is a MITRE ATT&CK technique named 'Password Filter DLL'. It belongs to the Defense Impairment, Persistence, Credential Access tactic(s). Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated. Windows password filters are passw...
How can T1556.002 be detected?
Detection of T1556.002 (Password Filter DLL) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1556.002?
There are 1 documented mitigations for T1556.002. Key mitigations include: Operating System Configuration.
Which threat groups use T1556.002?
Known threat groups using T1556.002 include: OilRig, Strider, MirrorFace.