Thursday, September 29, 2016

Checking for Active Directory password filters

As Microsoft puts it, "Password filters provide a way for you to implement password policy and change notification." The other day , I read hackers were registering password filters to catch user passwords, following the revelation of the Project Sauron APT . Therefore, I had to check if any malicious password filters were installed on my domain controllers. One line of Powershell is enough :-)
$lsa=Get-ADDomainController -Filter * | %{Invoke-Command -ComputerName $_.Hostname {ls HKLM:\SYS
TEM\CurrentControlSet\Control\Lsa}}
Now check the $lsa object for "Notification Packages" For example, you can pipe it to Out-GridView and use the search field. More info on registering password filters registration : https://msdn.microsoft.com/en-us/library/windows/desktop/ms721766(v=vs.85).aspx