MITRE ATT&CK Technique
Description
Windows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as dynamic link libraries (DLLs) containing a method to validate potential passwords against password policies. Filter DLLs can be positioned on local computers for local accounts and/or domain controllers for domain accounts. Before registering new passwords in the Security Accounts Manager (SAM), the Local Security Authority (LSA) requests validation from each registered filter. Any potential changes cannot take effect until every registered filter acknowledges validation. Adversaries can register malicious password filters to harvest credentials from local computers and/or entire domains. To perform proper validation, filters must receive plain-text credentials from the LSA. A malicious password filter would receive these plain-text credentials every time a password request is made. (Citation: Carnal Ownage Password Filters Sept 2013)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2018-01-16T16:13:52.465Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Windows password filters are password policy enforcement '
'mechanisms for both domain and local accounts. Filters are '
'implemented as dynamic link libraries (DLLs) containing a '
'method to validate potential passwords against password '
'policies. Filter DLLs can be positioned on local computers '
'for local accounts and/or domain controllers for domain '
'accounts.\n'
'\n'
'Before registering new passwords in the Security Accounts '
'Manager (SAM), the Local Security Authority (LSA) requests '
'validation from each registered filter. Any potential changes '
'cannot take effect until every registered filter acknowledges '
'validation.\n'
'\n'
'Adversaries can register malicious password filters to '
'harvest credentials from local computers and/or entire '
'domains. To perform proper validation, filters must receive '
'plain-text credentials from the LSA. A malicious password '
'filter would receive these plain-text credentials every time '
'a password request is made. (Citation: Carnal Ownage Password '
'Filters Sept 2013)',
'external_references': [{'external_id': 'T1174',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1174'},
{'description': 'Fuller, R. (2013, September 11). '
'Stealing passwords every time they '
'change. Retrieved November 21, 2017.',
'source_name': 'Carnal Ownage Password Filters Sept '
'2013',
'url': 'http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html'},
{'description': 'Bialek, J. (2013, September 15). '
'Intercepting Password Changes With '
'Function Hooking. Retrieved November '
'21, 2017.',
'source_name': 'Clymb3r Function Hook Passwords Sept '
'2013',
'url': 'https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/'}],
'id': 'attack-pattern--b8c5c9dd-a662-479d-9428-ae745872537c',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'credential-access'}],
'modified': '2025-10-24T17:49:17.124Z',
'name': 'Password Filter DLL',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Vincent Le Toux'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.1'}