DET0472 Detect Malicious Password Filter DLL Registration

Item	Value
ID	DET0472
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1556.002 (Password Filter DLL)

Analytics

Windows

AN1303

Detects suspicious registration of new password filter DLLs into the authentication process. Correlates registry modifications to LSASS Notification Packages with subsequent DLL creation and loading events. Observes anomalous file placement of DLLs in system directories followed by LSASS loading the new filter during logon/password change activity.

Log Sources

Data Component	Name	Channel
Windows Registry Key Modification (DC0063)	WinEventLog:Security	EventCode=4657
File Creation (DC0039)	WinEventLog:Sysmon	EventCode=11
Module Load (DC0016)	WinEventLog:Sysmon	EventCode=7

Mutable Elements

Field	Description
RegistryPath	Specific registry path monitored for modification (e.g., HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages).
AllowedDLLs	Known and approved password filter DLLs; deviations from baseline may indicate malicious injection.
TimeWindow	Time window for correlating registry modification, file creation, and module load events.
FilePathPatterns	Expected directories for legitimate password filter DLLs; anomalous paths may signal compromise.