Credential Manager DLL
Location:
HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\OrderHKLM\SYSTEM\CurrentControlSet\Services\<...>\NetworkProvider
Classification:
| Criteria | Value |
|---|---|
| Permissions | Admin |
| Security context | System |
| Persistence type | Registry |
| Code type | DLL |
| Launch type | Any logon required |
| Impact | Non-destructive |
| OS Version | All OS versions |
| Dependencies | OS only |
| Toolset | Scriptable |
Description:
When user logs on, winlogon.exe launches the child mpnotify.exe process, which in turns loads Credential Manager DLLs specified in Registry.
To make it even funnier, the DLL obtains cleartext passwords.
References:
https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy