AN1303: Analytic 1303
Detects suspicious registration of new password filter DLLs into the authentication process. Correlates registry modifications to LSASS Notification Packages with subsequent DLL creation and loading events. Observes anomalous file placement of DLLs in system directories followed by LSASS loading the new filter during logon/password change activity.
Analyst context for executives and security teams
This analytic matters because password filter DLL registration touches the Windows authentication path. If an unexpected DLL is added to LSASS Notification Packages and then loaded by LSASS, it can indicate a material change to how passwords or logon activity are handled on a host. For leaders, the decision value is whether the organization can prove it monitors high-risk authentication changes, not merely whether endpoint logs exist.
Executive priority
Prioritize this as an identity and incident-response readiness control for Windows environments. The key business question is whether security teams can quickly distinguish approved authentication software changes from suspicious modifications that may affect credential handling. This also supports audit and compliance evidence around monitoring of privileged system configuration changes and authentication infrastructure integrity.
Technical view
Validate that SOC and IR workflows can correlate three evidence points on Windows systems: registry modification to LSASS Notification Packages, creation or placement of a DLL in a system directory, and subsequent loading of that DLL by LSASS during logon or password-change activity. Because no ATT&CK tactic or relationship context is supplied, treat this as a focused detection analytic for suspicious authentication-process modification rather than a complete campaign indicator.
Likely telemetry
- Windows registry modification events for LSASS Notification Packages
- DLL file creation or placement events in Windows system directories
- Process/module load telemetry showing LSASS loading DLLs
- Logon and password-change activity timing for correlation
- Endpoint detection or host audit logs capable of linking registry, file, and module-load events
Detection direction
- Confirm collection coverage for registry, file creation, and LSASS module-load telemetry on Windows endpoints and servers.
- Tune correlation logic around sequence and timing: registry change, DLL creation or placement, then LSASS loading the DLL during relevant authentication activity.
- Baseline known legitimate password filter DLLs and authorized authentication software to reduce false positives.
- Investigate unapproved DLL paths, unusual file names, recent creation times, or changes that occur outside planned maintenance windows.
- Account for blind spots where module-load telemetry from LSASS is unavailable or where registry auditing is not enabled.
Mitigation priorities
- Maintain an approved inventory of password filter DLLs and authentication-related software on Windows systems.
- Restrict and monitor administrative access capable of modifying LSASS Notification Packages or writing DLLs into system directories.
- Use change-control evidence for planned authentication component updates so SOC analysts can distinguish authorized changes from suspicious ones.
- Ensure endpoint logging and retention are sufficient for incident responders to reconstruct registry, file, and module-load sequences.
- Review alert handling procedures so suspected authentication-process changes trigger timely identity and host investigation.
Analyst notes and limits
This take is based only on the supplied MITRE analytic description for AN1303. The analytic is narrowly centered on suspicious registration and loading of password filter DLLs through LSASS Notification Packages on Windows. No relationships, tactics, groups, software, or procedure examples were supplied, so local baselining and environment-specific allowlisting are essential.
Official detection content was not provided, and no relationship context was supplied. This summary does not assert active exploitation, attribution, impact, or guaranteed detection. Implementation details depend on available Windows endpoint telemetry and local authentication software baselines.
Analytic 1303
Detects suspicious registration of new password filter DLLs into the authentication process. Correlates registry modifications to LSASS Notification Packages with subsequent DLL creation and loading events. Observes anomalous file placement of DLLs in system directories followed by LSASS loading the new filter during logon/password change activity.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ccb6490a599d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1303Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.