Thursday, September 29, 2016

Checking for Active Directory password filters

As Microsoft puts it, "Password filters provide a way for you to implement password policy and change notification." The other day , I read hackers were registering password filters to catch user passwords, following the revelation of the Project Sauron APT . Therefore, I had to check if any malicious password filters were installed on my domain controllers. One line of Powershell is enough :-)
$lsa=Get-ADDomainController -Filter * | %{Invoke-Command -ComputerName $_.Hostname {ls HKLM:\SYS
Now check the $lsa object for "Notification Packages" For example, you can pipe it to Out-GridView and use the search field. More info on registering password filters registration :