Dropping Of Password Filter DLL

Oct 23, 2025 · attack.persistence attack.defense-evasion attack.credential-access attack.t1556.002 ·

Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS

Sigma rule (View on GitHub)

 1title: Dropping Of Password Filter DLL
 2id: b7966f4a-b333-455b-8370-8ca53c229762
 3status: test
 4description: Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS
 5references:
 6    - https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/
 7    - https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter
 8author: Sreeman
 9date: 2020-10-29
10modified: 2022-10-09
11tags:
12    - attack.persistence
13    - attack.defense-evasion
14    - attack.credential-access
15    - attack.t1556.002
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_cmdline:
21        CommandLine|contains|all:
22            - 'HKLM\SYSTEM\CurrentControlSet\Control\Lsa'
23            - 'scecli\0*'
24            - 'reg add'
25    condition: selection_cmdline
26falsepositives:
27    - Unknown
28level: medium

References

Credential Access – Password Filter DLL

Microsoft has introduced password filters as a method for systems administrators to enforce password policies and change notification. Filters are used to validate new passwords and to ensure that …

Read More
PasswordFilter/PasswordFilter at master · 3gstudent/PasswordFilter

2 ways of Password Filter DLL to record the plaintext password - 3gstudent/PasswordFilter

Read More

Dropping Of Password Filter DLL

Sigma rule (View on GitHub)

References

Credential Access &#8211; Password Filter&nbsp;DLL

PasswordFilter/PasswordFilter at master · 3gstudent/PasswordFilter

Related rules

Credential Access – Password Filter DLL