How can defenders detect and prevent the misuse of Password Filter DLLs?

Defenders should monitor `%windir%\system32\` for suspicious DLLs (especially recently added ones), check the `Notification Packages` registry key for unknown entries, and enable Additional LSA Protection to prevent unauthorized LSA plug-ins. Regularly auditing password change events and using file integrity monitoring can also help. Attackers must already have admin privileges, so enforcing least privilege is critical.