DET0472: Detect Malicious Password Filter DLL Registration
DET0472 is a detection strategy for identifying malicious registration of Windows Password Filter DLLs. The business issue is that this behavior sits direc...
Analyst context for executives and security teams
DET0472 is a detection strategy for identifying malicious registration of Windows Password Filter DLLs. The business issue is that this behavior sits directly in the authentication path: if an unauthorized filter is registered, credential exposure, persistence, and defense impairment become plausible concerns for Windows environments, especially where domain controllers validate domain passwords.
Executive priority
Prioritize this as an identity and resilience control question: do security teams know which password filter DLLs are approved, who can change them, and whether changes on domain controllers or local Windows systems are monitored? This is relevant to incident decision-making, compliance evidence, and identity risk because the related ATT&CK technique is mapped to credential access, persistence, and defense impairment.
Technical view
The supplied relationship maps DET0472 to T1556.002, Password Filter DLL, on Windows. SOC and IR teams should validate visibility for password filter DLL registration changes, DLL placement on systems that enforce local or domain password policy, and administrative changes around authentication configuration. Detection should distinguish approved password policy/security tooling from unexpected or newly introduced DLL registrations, especially on domain controllers.
Likely telemetry
- Windows configuration or registration data for password filter DLLs
- File creation, modification, and integrity events for DLLs placed on domain controllers or local Windows systems
- Administrative change events affecting authentication or password policy components
- Endpoint security alerts or audit logs related to authentication-process configuration changes
- Change-management records for approved password filter deployments
Detection direction
- Baseline approved Password Filter DLLs and alert on additions or modifications outside authorized change windows.
- Correlate a new or changed DLL registration with file placement or modification on the same Windows system.
- Treat domain controller changes as higher priority because the related technique applies to domain account password validation.
- Tune for legitimate password policy enforcement tools to reduce false positives while preserving alerts for unapproved DLL names, paths, or change actors.
- Validate blind spots where domain controller logging, endpoint file integrity monitoring, or configuration auditing is incomplete.
Mitigation priorities
- Maintain an approved inventory of Password Filter DLLs and their business owners.
- Restrict administrative rights and write access to authentication-related configuration and DLL locations.
- Require change control and evidence retention for password filter deployments, especially on domain controllers.
- Use configuration monitoring or file integrity monitoring to detect unauthorized registration or DLL placement.
- Prepare IR procedures for credential-risk assessment if an unauthorized password filter is discovered.
Analyst notes and limits
The official ATT&CK object supplied has no description, no detection text, no tactics, and no platform of its own. The practical guidance is derived from the detection strategy name and its relationship to T1556.002, which supplies the Windows platform and the credential-access, persistence, and defense-impairment context.
This take does not assert active exploitation, attribution, or guaranteed detection coverage. Local validation is required to confirm where Password Filter DLLs are used, what telemetry is collected, and which registrations are legitimate.
Detect Malicious Password Filter DLL Registration
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1556.002 | Password Filter DLL Sub-technique | This object detects Password Filter DLL. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 72a51feb87bd… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0472Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.