Password Filter DLL

Information

• Name: Password Filter DLL

• ID: T1556.002

• Tactics: TA0006, TA0005, TA0003

• Technique: T1556

Introduction

Password Filter DLL (T1556.002) is a sub-technique within the MITRE ATT&CK framework under the Credential Access tactic. Adversaries utilize malicious password filter DLLs to intercept and capture user credentials as they are changed or processed by the Windows operating system. Password filter DLLs are legitimate Windows components typically used to enforce password complexity rules and security policies. Attackers exploit this functionality by installing their own malicious DLL, thereby gaining access to plaintext passwords and significantly compromising credential security.

Deep Dive Into Technique

Password filter DLLs are implemented as dynamic link libraries (DLLs) that Windows loads during system startup or upon password changes. Legitimate password filter DLLs are registered in the Windows registry under:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages

Attackers exploit this mechanism by:

• Crafting a malicious DLL that exports required functions such as PasswordChangeNotify, PasswordFilter, and InitializeChangeNotify.

• Registering the malicious DLL in the registry key mentioned above, typically appending the DLL name to the existing list of Notification Packages.

• Upon registration, Windows loads the malicious DLL into the Local Security Authority (LSA) process (lsass.exe), granting it privileged access to plaintext passwords whenever a user changes their password.

Technical notes:

• Malicious DLLs typically export the following functions to ensure proper functionality and stealth:

  • InitializeChangeNotify(): Initializes internal structures used by the DLL.

  • PasswordFilter(): Checks password complexity; attackers usually return TRUE to avoid suspicion.

  • PasswordChangeNotify(): Captures plaintext passwords and forwards them to attacker-controlled storage or remote servers.

• The malicious DLL runs within the context of the privileged lsass.exe process, making detection and removal challenging.

• Attackers frequently use this technique for persistent credential harvesting, as it provides continuous access to plaintext credentials without additional exploitation.

When this Technique is Usually Used

This technique typically appears during multiple stages of an attack lifecycle, especially when adversaries aim for long-term persistence and credential harvesting. Common scenarios include:

• Initial compromise stage:

  • After gaining administrative privileges, attackers install malicious password filter DLLs to ensure continuous credential harvesting.

• Privilege escalation and lateral movement stage:

  • Attackers leverage captured credentials to escalate privileges within the network or move laterally to other systems and resources.

• Persistence stage:

  • Password filter DLLs provide persistent access to credentials even after initial compromise vectors are remediated, allowing attackers prolonged network presence.

• Reconnaissance and credential harvesting campaigns:

  • Advanced Persistent Threat (APT) actors utilize this technique to quietly collect passwords over extended periods, facilitating further compromise and espionage activities.

How this Technique is Usually Detected

Detection methods for malicious password filter DLLs include:

• Monitoring Windows Registry keys:

  • Regularly auditing the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages for unauthorized changes or unknown DLL entries.

• Endpoint Detection and Response (EDR) tools:

  • EDR solutions can detect suspicious DLL loading into lsass.exe, particularly DLLs not digitally signed or not associated with known valid software.

• File integrity monitoring:

  • Monitoring system directories (e.g., C:\Windows\System32) for new or modified DLL files.

• Behavioral analysis:

  • Observing unexpected network traffic from lsass.exe or suspicious file access patterns indicative of credential exfiltration.

• Event log analysis:

  • Reviewing Windows Security and System logs for unusual DLL loads or registry modifications related to password filter DLLs.

Indicators of Compromise (IoCs):

• Unknown or suspicious DLL files registered in the Notification Packages registry key.

• Unusual DLLs loaded into lsass.exe process.

• Network traffic from lsass.exe to external IP addresses.

• DLL files placed in unusual directories or lacking digital signatures.

Why it is Important to Detect This Technique

Early detection of malicious password filter DLLs is critical due to their severe impact on organizational security:

• Credential compromise:

  • Attackers gain continuous access to plaintext passwords, potentially compromising numerous user accounts and administrative credentials.

• Privilege escalation and lateral movement:

  • Stolen credentials enable attackers to escalate privileges and move laterally throughout the network, increasing the scope and severity of an attack.

• Persistent threat presence:

  • Malicious password filter DLLs provide attackers persistent access, even after initial infection vectors are mitigated, making containment and remediation difficult.

• Data exfiltration and espionage:

  • Attackers can leverage captured credentials to access sensitive data, intellectual property, and proprietary information, resulting in significant financial and reputational damage.

Early detection and prompt remediation minimize these risks, preventing extensive compromise and reducing the potential for prolonged adversary access.

Examples

Real-world examples of malicious password filter DLL usage include:

• Mimikatz "mimilib.dll" Module:

  • Attack Scenario:

    • Attackers leverage the Mimikatz toolkit's "mimilib.dll" module, a malicious password filter DLL that captures plaintext passwords during password changes.

  • Tools Used:

    • Mimikatz toolkit, custom malicious DLL ("mimilib.dll").

  • Impact:

    • Persistent credential harvesting, compromised administrative credentials, lateral movement, and sustained network access.

• APT29 (Cozy Bear) Operations:

  • Attack Scenario:

    • APT29 has historically deployed malicious password filter DLLs during espionage campaigns to quietly collect credentials and maintain persistent access.

  • Tools Used:

    • Custom-developed malicious DLLs, registry modification scripts.

  • Impact:

    • Long-term espionage, persistent access to sensitive government and corporate networks, extensive credential harvesting, and data exfiltration.

• FIN8 Attack Campaigns:

  • Attack Scenario:

    • FIN8 threat actors have used malicious password filter DLLs to maintain persistence and harvest credentials in financial sector attacks.

  • Tools Used:

    • Custom DLL payloads, advanced scripting for registry manipulation and DLL injection.

  • Impact:

    • Financial theft, persistent credential compromise, unauthorized access to sensitive financial data, and extensive lateral movement within compromised networks.