How can a Password Filter DLL be used in a domain environment for backdoor or credential theft?

On a domain controller, an attacker with administrative privileges can deploy a malicious Password Filter DLL to capture plaintext passwords from all domain users when they change passwords, or use it as a backdoor to return a reverse shell (e.g., Meterpreter). Since domain controllers have the password complexity policy enabled by default, only reboot is needed for activation. This technique complements other credential theft methods like retrieving passwords from Windows Credential Manager.