T1556.002 Password Filter DLL
Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated.
Windows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as DLLs containing a method to validate potential passwords against password policies. Filter DLLs can be positioned on local computers for local accounts and/or domain controllers for domain accounts. Before registering new passwords in the Security Accounts Manager (SAM), the Local Security Authority (LSA) requests validation from each registered filter. Any potential changes cannot take effect until every registered filter acknowledges validation.
Adversaries can register malicious password filters to harvest credentials from local computers and/or entire domains. To perform proper validation, filters must receive plain-text credentials from the LSA. A malicious password filter would receive these plain-text credentials every time a password request is made.1
| Item | Value |
|---|---|
| ID | T1556.002 |
| Sub-techniques | T1556.001, T1556.002, T1556.003, T1556.004, T1556.005 |
| Tactics | TA0006, TA0005, TA0003 |
| Platforms | Windows |
| Permissions required | Administrator, SYSTEM |
| Version | 2.0 |
| Created | 11 February 2020 |
| Last Modified | 20 April 2021 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0125 | Remsec | Remsec harvests plain-text credentials as a password filter registered on domain controllers.3 |
| G0041 | Strider | Strider has registered its persistence module on domain controllers as a Windows LSA (Local System Authority) password filter to acquire credentials any time a domain, local user, or administrator logs in or changes a password.3 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1028 | Operating System Configuration | Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory (C:\Windows\System32\ by default) of a domain controller and/or local computer with a corresponding entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0022 | File | File Creation |
| DS0011 | Module | Module Load |
| DS0024 | Windows Registry | Windows Registry Key Modification |
References
-
Fuller, R. (2013, September 11). Stealing passwords every time they change. Retrieved November 21, 2017. ↩
-
Bialek, J. (2013, September 15). Intercepting Password Changes With Function Hooking. Retrieved November 21, 2017. ↩
-
Kaspersky Lab’s Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016. ↩↩