Credential Manager DLL

Location:

HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
HKLM\SYSTEM\CurrentControlSet\Services\<...>\NetworkProvider

Classification:

Criteria	Value
Permissions	Admin
Security context	System
Persistence type	Registry
Code type	DLL
Launch type	Any logon required
Impact	Non-destructive
OS Version	All OS versions
Dependencies	OS only
Toolset	Scriptable

Description:

When user logs on, winlogon.exe launches the child mpnotify.exe process, which in turns loads Credential Manager DLLs specified in Registry. To make it even funnier, the DLL obtains cleartext passwords.

References:

https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy

Credits:

0gtweet

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

credmandll.md

credmandll.md

Credential Manager DLL

Location:

Classification:

Description:

References:

Credits:

See also:

Remarks:

Files

credmandll.md

Latest commit

History

credmandll.md

File metadata and controls

Credential Manager DLL

Location:

Classification:

Description:

References:

Credits:

See also:

Remarks: