Registration of a Password Filter DLL¶
Identifies the installation of password filter DLLs which may be used to steal credentials from LSA.
| id: | ae6ae50f-69f3-4e85-bfe2-2db9d1422517 |
|---|---|
| categories: | detect |
| confidence: | low |
| os: | windows |
| created: | 7/26/2019 |
| updated: | 7/26/2019 |
MITRE ATT&CK™ Mapping¶
| tactics: | Credential Access |
|---|---|
| techniques: | T1174 Password Filter DLL |
Query¶
registry where hive.hklm and
registry_path == "*SYSTEM\\ControlSet*\\Control\\Lsa\\Notification Packages*"
| unique registry_path, process_path