This project detects remote local credentials dumps using the "Shadow Snapshot method". This was implemented in Impacket in the following PR: [SECRETSDUMP] New Dump Method - Shadow Snapshot Method via WMI.
This project leverages Event Tracing for Windows (ETW) to monitor this behaviour.
Shadow Copy Creation and Removal Detection:
This PoC uses the Microsoft-Windows-WMI-Activity ETW provider to trace WMI method invocations. It specifically monitors:
- Shadow Copy creation via the Win32_ShadowCopy::Create method.
- Shadow Copy removal.
And this PoC monitor the Microsoft-Windows-SMBClient ETW provider for events indicating file reads over the SMB protocol.
- Detect reads to SYSTEM32\CONFIG\SAM, SYSTEM32\CONFIG\SECURITY and/or SYSTEM32\CONFIG\SYSTEM.
If this behaviour is detected, i.e, a Shadow Snapshot is created, then SAM, SYSTEM and/or SECURITY accessed via SMB and then the SS removed these are indicators about the use of that technique.
This project relies purely in ETW.
Remember to add tdh.lib as a dependency, as this lib is not included by default.
