act as password filter DLL

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: act as password filter DLL
    namespace: persistence/authentication-process
    authors:
      - jakub.jozwiak@mandiant.com
    scopes:
      static: file
      dynamic: file
    att&ck:
      - Persistence::Modify Authentication Process::Password Filter DLL [T1556.002]
    examples:
      - 4f08636da3941f6f1e70ac2bf449b69e2ddbdc23dac58fd7eab9c5fdce6a4960
  features:
    - and:
      - export: InitializeChangeNotify
      - export: PasswordChangeNotify
      - export: PasswordFilter

last edited: 2023-11-24 10:35:05