Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
Stephan Berger Profile picture
Stephan Berger
@malmoeb
Head of Investigations @InfoGuardAG

May 6, 2022, 11 tweets

1/ #ThreatHunting: @SentinelOne blogged about a Chinese TA called Moshen Dragon that uses password filters to read plaintext passwords (when they are changed).

sentinelone.com/labs/moshen-dr…

2/ The idea of using a password filter to get plaintext passwords is not new and was (first?) documented back in 2013 by @mubix:

blog.carnal0wnage.com/2013/09/steali…

3/ Thanks to @spotheplanet's code, we can test this scenario in our lab (or use the project linked on the SentinelOne blog):

ired.team/offensive-secu…

4/ The compiled DLL must be dropped into the System32 directory, which requires administrative privileges on the machine.

5/ Afterwards, the DLL can be registered as a password filter ("\0" is needed for the space between the two filters):

reg add "hklm\system\currentcontrolset\control\lsa" /v "notification packages" /d scecli\0I_love_blue /t reg_multi_sz

6/ The picture shows the password filters before the reg add command and after, with our newly registered password filter.

7/ For testing, we change the password from a user on the machine where we installed the password filter. And voilà, the new password is recorded in plain text.

8/ 2 AV manufacturers only detect the (newly) compiled DLL, and this number could probably be brought down even further with (minor) effort.

It would have to be tested whether and which EDR would flag the "reg add" command as suspicious or block it.

9/ Since we find a manageable number of password filters even in larger environments, we can search specifically for outliers (with your prefered mechanism):

reg query "hklm\system\currentcontrolset\control\lsa" /v "notification packages".

10/ Here is an extract from a larger environment where the number of results is absolutely manageable (unique values only):

11/ After sorting out the default values (according to an older MS Technet page), only two password filters remain to be checked. An excellent hunt for your next hunting session 🙃

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling