{"id":15044490,"url":"https://github.com/elastic/silhouette","last_synced_at":"2025-04-09T15:06:16.488Z","repository":{"id":65438430,"uuid":"554312144","full_name":"elastic/Silhouette","owner":"elastic","description":"Keep it secret, keep it safe","archived":false,"fork":false,"pushed_at":"2025-02-06T03:31:51.000Z","size":1140,"stargazers_count":77,"open_issues_count":1,"forks_count":10,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-04-09T15:06:12.334Z","etag":null,"topics":["security","windows"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/elastic.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-10-19T15:47:19.000Z","updated_at":"2025-01-08T00:11:53.000Z","dependencies_parsed_at":"2025-02-24T04:10:38.020Z","dependency_job_id":"d695dbe8-b254-4d5a-8400-b80e09638fbd","html_url":"https://github.com/elastic/Silhouette","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elastic%2FSilhouette","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elastic%2FSilhouette/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elastic%2FSilhouette/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elastic%2FSilhouette/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/elastic","download_url":"https://codeload.github.com/elastic/Silhouette/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248055284,"owners_count":21040157,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["security","windows"],"created_at":"2024-09-24T20:50:38.853Z","updated_at":"2025-04-09T15:06:16.444Z","avatar_url":"https://github.com/elastic.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Silhouette \n\nBy [Gabriel Landau](https://twitter.com/GabrielLandau) and [Mark Mager](https://twitter.com/magerbomb) at [Elastic Security](https://www.elastic.co/security-labs/).\n\nFrom [_Hide Your Valuables — Mitigating Physical Credential Dumping Attacks_](https://www.youtube.com/watch?v=NnM9HvDping\u0026t=22652s) presented at [Shmoocon 2023](https://shmoocon.org/). Slides [here](2023-01%20Silhouette%20Shmoocon%20Presentation.pdf).\n\n### Keeping LSA secrets out of physical memory\n\nSilhouette is a POC that mitigates the use of physical memory to dump credentials from LSASS.  It does this in three ways:\n\n  1. Aggressively flush LSASS's pages from RAM to disk.\n  2. Block raw disk access within the boot volume, preventing raw copy attacks against `pagefile.sys` and `hiberfil.sys` (e.g. [Invoke-NinjaCopy](https://www.powershellgallery.com/packages/PowerSploit/1.0.0.0/Content/Exfiltration%5CInvoke-NinjaCopy.ps1)).\n  3. Block `FILE_READ_DATA` for `pagefile.sys` in all Volume Shadow Copy snapshots to block access with tools like [hobocopy](https://github.com/candera/hobocopy).\n\n*It is highly recommended to enable RunAsPPL before using Silhouette.*\n\n## Building and running it\n\n**This is a proof of concept. Use it at your own risk.**\n\n1. Compile Silhouette.sln with Visual Studio 2019.  The WDK is required.  This was originally developed with the [Win11 21H2 WDK](https://learn.microsoft.com/en-us/windows-hardware/drivers/other-wdk-downloads#step-2-install-the-wdk).\n2. Enable [Test Signing](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option).\n3. Register the service:\n```\nsc create Silhouette type= filesys start= demand binpath= %CD%\\Silhouette.sys\n```\n4. Add Minifilter keys:\n```\nreg import FilterKeys.reg\n```\n5. Start the service:\n```\nsc start Silhouette\n```\n\n\n# License\n\nSilhouette is covered by the [ELv2 license](LICENSE.txt).  It uses [phnt](https://github.com/winsiderss/systeminformer/tree/25846070780183848dc8d8f335a54fa6e636e281/phnt) from SystemInformer under the [MIT license](phnt/LICENSE.txt).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Felastic%2Fsilhouette","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Felastic%2Fsilhouette","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Felastic%2Fsilhouette/lists"}