Skip to main content
MuonPartners
Services
Architecture

Solution design and technology roadmapping

Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security

Security assessments, IAM, and compliance

AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform

Network architecture and cloud platforms

Network DesignCloud StrategyModernisation
Enterprise Architecture

Business-technology alignment

Business AlignmentPortfolio AnalysisGovernance
View all services
ProjectsCase StudiesInsightsToolsAbout
Contact Us

Services

Architecture
Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security
AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform
Network DesignCloud StrategyModernisation
Enterprise Architecture
Business AlignmentPortfolio AnalysisGovernance
ProjectsCase StudiesInsightsToolsAboutContact
Get in Touch
MuonPartners

Strategic technology consulting for Australian organisations navigating complexity.

Services

  • Architecture
  • Cyber Security
  • Network and Platform
  • Enterprise Architecture

Company

  • About
  • Products
  • Frameworks
  • Cross-Framework Mapping
  • Projects
  • Case Studies
  • Insights
  • Contact

Contact

  • [email protected]
  • Australia
  • LinkedIn

© 2026 Muon Partners. All rights reserved.

ABN 50 669 022 315 · A Muon Group company.

Privacy PolicyTerms of Service
  1. Frameworks
  2. >ATTACK
  3. >Credential Access
  4. >ATTACK-T1556.002
ATTACK-T1556.002Active

Password Filter DLL

Statement

Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated.

Windows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as DLLs containing a method to validate potential passwords against password policies. Filter DLLs can be positioned on local computers for local accounts and/or domain controllers for domain accounts. Before registering new passwords in the Security Accounts Manager (SAM), the Local Security Authority (LSA) requests validation from each registered filter. Any potential changes cannot take effect until every registered filter acknowledges validation.

Adversaries can register malicious password filters to harvest credentials from local computers and/or entire domains. To perform proper validation, filters must receive plain-text credentials from the LSA. A malicious password filter would receive these plain-text credentials every time a password request is made.(Citation: Carnal Ownage Password Filters Sept 2013)

Location

Tactic
Credential Access

Technique Details

Identifier
ATTACK-T1556.002
Parent Technique
ATTACK-T1556
ATT&CK Page
View on MITRE

Tactics

Credential AccessDefense EvasionPersistence

Platforms

Windows

Detection

Detect Malicious Password Filter DLL Registration

Mitigations

Operating System Configuration: Operating System Configuration involves adjusting system settings and hardening the default configurations of an operating system (OS) to mitigate adversary exploitation and prevent abuse of system functionality. Proper OS configurations address security vulnerabilities, limit attack surfaces, and ensure robust defense against a wide range of techniques. This mitigation can be implemented through the following measures:

Disable Unused Features:

  • Turn off SMBv1, LLMNR, and NetBIOS where not needed.
  • Disable remote registry and unnecessary services.

Enforce OS-level Protections:

  • Enable Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Control Flow Guard (CFG) on Windows.
  • Use AppArmor or SELinux on Linux for mandatory access controls.

Secure Access Settings:

  • Enable User Account Control (UAC) for Windows.
  • Restrict root/sudo access on Linux/macOS and enforce strong permissions using sudoers files.

File System Hardening:

  • Implement least-privilege access for critical files and system directories.
  • Audit permissions regularly using tools like icacls (Windows) or getfacl/chmod (Linux/macOS).

Secure Remote Access:

  • Restrict RDP, SSH, and VNC to authorized IPs using firewall rules.
  • Enable NLA for RDP and enforce strong password/lockout policies.

Harden Boot Configurations:

  • Enable Secure Boot and enforce UEFI/BIOS password protection.
  • Use BitLocker or LUKS to encrypt boot drives.

Regular Audits:

  • Periodically audit OS configurations using tools like CIS Benchmarks or SCAP tools.

Tools for Implementation

Windows:

  • Microsoft Group Policy Objects (GPO): Centrally enforce OS security settings.
  • Windows Defender Exploit Guard: Built-in OS protection against exploits.
  • CIS-CAT Pro: Audit Windows security configurations based on CIS Benchmarks.

Linux/macOS:

  • AppArmor/SELinux: Enforce mandatory access controls.
  • Lynis: Perform comprehensive security audits.
  • SCAP Security Guide: Automate configuration hardening using Security Content Automation Protocol.

Cross-Platform:

  • Ansible or Chef/Puppet: Automate configuration hardening at scale.
  • OpenSCAP: Perform compliance and configuration checks.
SP 800-53
SP800-53-CM-6relatedvia ctid-attack-to-sp800-53
SP800-53-CM-7relatedvia ctid-attack-to-sp800-53
SP800-53-SI-4relatedvia ctid-attack-to-sp800-53
View in graphReport an issue
← Back to Credential Access
Credential Access62 controls
ATTACK-T1003OS Credential DumpingATTACK-T1003.001LSASS MemoryATTACK-T1003.002Security Account ManagerATTACK-T1003.003NTDSATTACK-T1003.004LSA SecretsATTACK-T1003.005Cached Domain CredentialsATTACK-T1003.006DCSyncATTACK-T1003.007Proc FilesystemATTACK-T1003.008/etc/passwd and /etc/shadowATTACK-T1040Network SniffingATTACK-T1110Brute ForceATTACK-T1110.001Password GuessingATTACK-T1110.002Password CrackingATTACK-T1110.003Password SprayingATTACK-T1110.004Credential StuffingATTACK-T1111Multi-Factor Authentication InterceptionATTACK-T1187Forced AuthenticationATTACK-T1212Exploitation for Credential AccessATTACK-T1528Steal Application Access TokenATTACK-T1539Steal Web Session CookieATTACK-T1552Unsecured CredentialsATTACK-T1552.001Credentials In FilesATTACK-T1552.002Credentials in RegistryATTACK-T1552.003Shell HistoryATTACK-T1552.004Private KeysATTACK-T1552.005Cloud Instance Metadata APIATTACK-T1552.006Group Policy PreferencesATTACK-T1552.007Container APIATTACK-T1552.008Chat MessagesATTACK-T1555Credentials from Password StoresATTACK-T1555.001KeychainATTACK-T1555.002Securityd MemoryATTACK-T1555.003Credentials from Web BrowsersATTACK-T1555.004Windows Credential ManagerATTACK-T1555.005Password ManagersATTACK-T1555.006Cloud Secrets Management StoresATTACK-T1556Modify Authentication ProcessATTACK-T1556.001Domain Controller AuthenticationATTACK-T1556.002Password Filter DLLATTACK-T1556.003Pluggable Authentication ModulesATTACK-T1556.004Network Device AuthenticationATTACK-T1556.005Reversible EncryptionATTACK-T1556.006Multi-Factor AuthenticationATTACK-T1556.007Hybrid IdentityATTACK-T1556.008Network Provider DLLATTACK-T1556.009Conditional Access PoliciesATTACK-T1557Adversary-in-the-MiddleATTACK-T1557.001LLMNR/NBT-NS Poisoning and SMB RelayATTACK-T1557.002ARP Cache PoisoningATTACK-T1557.003DHCP SpoofingATTACK-T1557.004Evil TwinATTACK-T1558Steal or Forge Kerberos TicketsATTACK-T1558.001Golden TicketATTACK-T1558.002Silver TicketATTACK-T1558.003KerberoastingATTACK-T1558.004AS-REP RoastingATTACK-T1558.005Ccache FilesATTACK-T1606Forge Web CredentialsATTACK-T1606.001Web CookiesATTACK-T1606.002SAML TokensATTACK-T1621Multi-Factor Authentication Request GenerationATTACK-T1649Steal or Forge Authentication Certificates