Registration of a Password Filter DLL¶
Identifies the installation of password filter DLLs which may be used to steal credentials from LSA.
id: | ae6ae50f-69f3-4e85-bfe2-2db9d1422517 |
---|---|
categories: | detect |
confidence: | low |
os: | windows |
created: | 7/26/2019 |
updated: | 7/26/2019 |
MITRE ATT&CK™ Mapping¶
tactics: | Credential Access |
---|---|
techniques: | T1174 Password Filter DLL |
Query¶
registry where hive.hklm and
registry_path == "*SYSTEM\\ControlSet*\\Control\\Lsa\\Notification Packages*"
| unique registry_path, process_path