- Tactics
- defense-impairment , Persistence , Credential Access
- Platforms
- Windows
- Reference
- attack.mitre.org/techniques/T1556.002
Description
Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated.
Windows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as DLLs containing a method to validate potential passwords against password policies. Filter DLLs can be positioned on local computers for local accounts and/or domain controllers for domain accounts. Before registering new passwords in the Security Accounts Manager (SAM), the Local Security Authority (LSA) requests validation from each registered filter. Any potential changes cannot take effect until every registered filter acknowledges validation.
Adversaries can register malicious password filters to harvest credentials from local computers and/or entire domains. To perform proper validation, filters must receive plain-text credentials from the LSA. A malicious password filter would receive these plain-text credentials every time a password request is made.(Citation: Carnal Ownage Password Filters Sept 2013)
How GTK Cyber trains on this
GTK Cyber's hands-on training programs cover detection engineering across the MITRE ATT&CK framework, including the defense-impairment, Persistence, Credential Access tactic this technique falls under. Our practitioner-led courses focus on building real detections, not just memorizing technique IDs.
Related techniques
- T1003 — OS Credential Dumping
- T1037 — Boot or Logon Initialization Scripts
- T1040 — Network Sniffing
- T1053 — Scheduled Task/Job
- T1056 — Input Capture
- T1078 — Valid Accounts
- T1098 — Account Manipulation
- T1110 — Brute Force
- T1111 — Multi-Factor Authentication Interception
- T1112 — Modify Registry
- T1133 — External Remote Services
- T1136 — Create Account