HKLM\SYSTEM\CurrentControlSet\Control\Lsa
| Criteria | Value |
|---|---|
| Permissions | Admin |
| Security context | System |
| Persistence type | Registry |
| Code type | DLL |
| Launch type | User initiated1 |
| Impact | Non-destructive |
| OS Version | All OS versions |
| Dependencies | OS only |
| Toolset | Scriptable |
When a password change request is made, the Local Security Authority (LSA) calls the password filters registered on the system.
The DLL not only provides some persistence, but also obtains a cleartext password from LSASS.
Footnotes
-
Password change must happen. Possibly machine password change will work as well making this automatic, but it happens quite rarely. ↩