Presented at
DEF CON 33 (2025),
Aug. 8, 2025, 11 a.m.
(45 minutes).
Virtualization Based Security (VBS) is one of the most fascinating security advancements of recent years - the ability to isolate critical components of the OS enabled Microsoft to achieve substantial security improvements with features like Credential Guard and HVCI.
One of the more interesting features enabled through VBS are VBS Enclaves - a technology that allows a process to isolate a region of its memory, making it completely inaccessible to other processes, the process itself, and even the kernel.
While VBS enclaves can have a wide range of security applications, they can also be very appealing to attackers - running malware in an isolated region, out of the reach of EDRs and security analysts? Sign us up!
With this research we set out to explore the concept of enclave malware. We will dive into VBS enclaves while exploring previously undocumented behaviors, and describe the different scenarios that can enable attackers to run malicious code inside enclaves.
We will then work towards weaponizing VBS enclaves - we will describe the different techniques that could be used by malware running within enclaves, and show how they enable creating stealthy implants that can go completely undetected.
References:
[Microsoft VBS enclave documentation](https://learn.microsoft.com/en-us/windows/win32/trusted-execution/vbs-enclaves)
Windows Internals 7th edition, part 1
Windows Internals 7th edition, part 2
[CVE-2023-36880 exploit](https://github.com/google/security-research/security/advisories/GHSA-wwr4-v5mr-3x9w)
[VBS enclave exploitation](https://www.outflank.nl/blog/2025/02/03/secure-enclaves-for-offensive-operations-part-i/)
Presenters:
-
Ori David
Ori David is a senior security researcher at Akamai, his research is focused on offensive security, malware analysis, and threat hunting.
Similar Presentations: