Windows VBS vs Local Privilege Escalation

​

​

The following statement is from Microsoft

​

"The escalating sophistication of cyberattacks is marked by the increased use of kernel-level exploits that attempt to run malware with the highest privileges and evade security solutions and software sandboxes. Kernel exploits famously gave the WannaCry and Petya ransomware remote code execution capability, resulting in widescale global outbreaks.

​

Windows 10 remained resilient to these attacks, with Microsoft constantly raising the bar in platform security to stay ahead of threat actors. Virtualization-based security (VBS) hardens Windows 10 against attacks by using the Windows hypervisor to create an environment that isolates a secure region of memory known as secure memory enclaves."

 

This is good news, Windows is evolving to prevent another EternalBlue\Wannacry and resist Kernel exploits......right.....That's the Microsoft statement its not like they would mislead....lets put that statement to the test....

​

The target is Windows 10 x64 1909 Hyper-V Gen 2 VM, without any patches, vTPM, Windows Defender, Firewall are enabled and configured out of the box. 

​

The exploit will be run as a user without any additional rights or privileges.​​

​

The SMBGhost (2020-0796) exploit will be used to gain System and was downloaded from Zecops here.​

​

In addition Python version 3 needs to be installed here. 

​

Copy the exploit to Windows and double click on 'poc.py'.

​

Out of the box, Windows fell in seconds, no Defender alerts, not that I was expecting any.