Windows VBS vs Local Privilege Escalation

The following statement is from Microsoft

"The escalating sophistication of cyberattacks is marked by the increased use of kernel-level exploits that attempt to run malware with the highest privileges and evade security solutions and software sandboxes. Kernel exploits famously gave the WannaCry and Petya ransomware remote code execution capability, resulting in widescale global outbreaks.

Windows 10 remained resilient to these attacks, with Microsoft constantly raising the bar in platform security to stay ahead of threat actors. Virtualization-based security (VBS) hardens Windows 10 against attacks by using the Windows hypervisor to create an environment that isolates a secure region of memory known as secure memory enclaves."

 

This is good news, Windows is evolving to prevent another EternalBlue\Wannacry and resist Kernel exploits......right.....That's the Microsoft statement its not like they would mislead....lets put that statement to the test....

The target is Windows 10 x64 1909 Hyper-V Gen 2 VM, without any patches, vTPM, Windows Defender, Firewall are enabled and configured out of the box. 

The exploit will be run as a user without any additional rights or privileges.

The SMBGhost (2020-0796) exploit will be used to gain System and was downloaded from Zecops here.

In addition Python version 3 needs to be installed here

Copy the exploit to Windows and double click on 'poc.py'.

So out of the box Windows fell in seconds, no Defender alerts, not that I was expecting any.

To configure 'Core Isolation' open 'Device Security' and select 'On'

GPO Settings

Computer Configuration > Administrative Templates > System > Device Guard

Turn on Virtualization Based Security (enable)

Secure Boot and DMA Protection

Enable with UEFI Lock

Reboot

 

Run 'msinfo32.exe' to check the status and make sure VBS is running.

I re-ran the 2020-0796 SMBGhost exploit 'poc.py' and despite Microsoft's statement of Windows being more 'resilient' to Kernel exploits it did not stand up in the slightest. This is the exact type of exploit that led to Wannacry and what VBS is designed to defeat.

 

Further testing and different exploits may yield different results.