Silhouette

By Gabriel Landau and Mark Mager at Elastic Security.

From Hide Your Valuables — Mitigating Physical Credential Dumping Attacks presented at Shmoocon 2023. Slides here.

Keeping LSA secrets out of physical memory

Silhouette is a POC that mitigates the use of physical memory to dump credentials from LSASS. It does this in three ways:

1. Aggressively flush LSASS's pages from RAM to disk.
2. Block raw disk access within the boot volume, preventing raw copy attacks against pagefile.sys and hiberfil.sys (e.g. Invoke-NinjaCopy).
3. Block FILE_READ_DATA for pagefile.sys in all Volume Shadow Copy snapshots to block access with tools like hobocopy.

It is highly recommended to enable RunAsPPL before using Silhouette.

Building and running it

This is a proof of concept. Use it at your own risk.

1. Compile Silhouette.sln with Visual Studio 2019. The WDK is required. This was originally developed with the Win11 21H2 WDK.
2. Enable Test Signing.
3. Register the service:

sc create Silhouette type= filesys start= demand binpath= %CD%\Silhouette.sys

4. Add Minifilter keys:

reg import FilterKeys.reg

5. Start the service:

sc start Silhouette

License

Silhouette is covered by the ELv2 license. It uses phnt from SystemInformer under the MIT license.