Virtualization Based Insecurity - Weaponizing VBS Enclaves

Explore the weaponization of Microsoft's Virtualization Based Security (VBS) Enclaves in this 37-minute DEF CON 33 conference talk that reveals how advanced security features can be turned against defenders. Discover how VBS technology, designed to isolate critical OS components and enable security improvements like Credential Guard and HVCI, creates new attack vectors when VBS Enclaves are exploited by malicious actors. Learn about the fundamental concepts of VBS Enclaves, which allow processes to isolate memory regions making them inaccessible to other processes, the process itself, and even the kernel. Examine previously undocumented behaviors of VBS enclaves and understand the various scenarios that enable attackers to execute malicious code within these isolated environments. Investigate the techniques malware can employ when running inside enclaves, including methods for creating stealthy implants that can evade detection by EDRs and security analysts. Gain insights into how attackers can leverage this isolation technology to run malware in regions completely out of reach of traditional security monitoring tools, effectively turning Microsoft's security advancement into a powerful offensive capability.