Brief Summary
This video is about Windows Sandbox and how it can be used for both offensive and defensive security purposes. It covers how the Mirrorface APT group has been using Windows Sandbox to carry out attacks, and how red teamers and penetration testers can use it to emulate cybercrime. The video also discusses the features of Windows Sandbox, how to configure it, and how to use it from the command line.
- Windows Sandbox is a virtual machine that is isolated from the host computer.
- It can be used to test files or experiment with what could be malware in a safe isolated environment.
- The Mirrorface APT group has been using Windows Sandbox to carry out attacks.
- Red teamers and penetration testers can use it to emulate cybercrime.
- Windows Sandbox can be configured to share folders with the host computer, enable networking, and run commands automatically.
- It can be used from the command line with the
WSB.exeutility.
Introduction: Mirrorface APT and Windows Sandbox
The video introduces a writeup by Ito Cyber and Intelligence Incorporation about the Mirrorface APT group, which is targeting organisations in Japan using Windows Sandbox and Visual Studio Code. The presenter aims to explore Windows Sandbox, demonstrate its capabilities, and discuss its potential use in offensive security, drawing from real-world attack scenarios. The goal is to understand how threat actors leverage this tool and how it can be used for red teaming and penetration testing.
Windows Sandbox: A Quick Overview
Windows Sandbox is a virtual machine environment isolated from the host operating system, allowing users to test files and potential malware safely. It's available on modern Windows 10 and 11 computers, requiring virtualization to be enabled in the BIOS. The feature is disabled by default and can be turned on via the "Windows Features" in the start menu or through the command line using PowerShell or CMD with the DISM command. Enabling it requires a computer restart for the changes to take effect.
Enabling and Accessing Windows Sandbox
After enabling the Windows Sandbox feature and restarting the computer, you can search for "Windows Sandbox" in the start menu to launch it. The first run may involve downloading and installing updates. Once initiated, it provides a dynamic, ephemeral virtual machine environment running Windows within Windows, utilizing the Microsoft Hyper-V hypervisor. This virtual machine is limited but allows for experimentation. The user account is the WDAG utility account (Windows Defender Application Guard), which is the only user in this environment.
Mirrorface's Sandbox-Specific Malware
The Mirrorface APT group uses a customized version of the Lilith rat called Lilim Rat, which includes a check for the WDAG utility account user folder. If this folder doesn't exist, the malware terminates, indicating it is specifically designed to run within the sandbox. This is counterintuitive because malware usually avoids sandboxes. However, this approach allows the adversary to operate undetected because Windows Defender and other antivirus solutions are not present in the Windows Sandbox environment.
Bypassing Antivirus Detection
Actions within the Windows Sandbox are invisible to antivirus software, providing a unique advantage to threat actors. By infecting a target host, enabling Windows Sandbox, and rebooting the system, attackers can run malware, communicate with command and control (C2) servers, and perform malicious activities without being detected. The article discusses the default user and the absence of Windows Defender, as well as the use of configuration files to define the sandbox environment, including networking, shared directories, and execution commands.
Configuration Files and Attack Execution
Configuration files can specify networking, shared directories, and commands to execute within the sandbox. The Mirrorface APT group stages three files (batch file, archiver, and archive file) on the host machine after gaining initial access. Their malware runs undetected and uses the Tor network to communicate with their C2 server. Network communication from the sandbox appears to originate from the host machine's IP address, adding another layer of stealth.
Stealth and Capabilities of Windows Sandbox
Windows Sandbox can be made stealthy, and when combined with Tor for communication and the ability to work with files on the host machine, it becomes a powerful tool for attackers. There is no logging or antivirus within the sandbox, making it difficult to detect malicious activity. The video then transitions to a sponsored segment before demonstrating additional features of Windows Sandbox.
Exploring Windows Sandbox Features
The presenter explores the features of Windows Sandbox, including toggling full screen, clipboard sharing, and folder sharing. Clipboard sharing allows copying and pasting between the host and sandbox, raising concerns about potential clipboard snooping. The presenter also wonders about the possibility of using audio and video input for malicious purposes. The share folder functionality allows mapping locations on the host machine to the sandbox.
Sharing Folders and File System Access
The share folder functionality allows mapping locations on the host machine to the sandbox. By sharing a folder, any changes made within the sandbox are reflected on the host and vice versa. It is possible to share the entire file system, but this is more effectively done using a configuration file (.wsb file). The presenter references a blog post from December 2020 by Lloyd, which discusses using WSB files to stage actions within Windows Sandbox, bypassing antivirus and EDR.
WSB Configuration Files and Exploitation Techniques
WSB files are XML-based configuration files that define settings for Windows Sandbox. Lloyd's blog post covers enabling Windows Sandbox, checking for Windows Defender, and using a WSB file to run commands. An example includes mapping the entire root drive (C:) into the sandbox, which could be used for ransomware attacks or to extract sensitive data like Chrome cookies. The technique of using a virtual machine has been used by ransomware gangs like Maze and Ragnar Locker, but Windows Sandbox bypasses the need for installing third-party software.
Demonstrating WSB File Configuration
The presenter demonstrates using a WSB file to configure Windows Sandbox. He copies a sample WSB file from the original article, modifies it to map the C drive to the desktop, and sets write access. He then sets a command to invoke charmap.exe to test the configuration. Double-clicking the WSB file launches Windows Sandbox and automatically runs the specified command, providing access to the host's C drive.
Running Windows Sandbox in the Background
The presenter highlights that Windows Sandbox can be run in the background without the interactive window using the WSB.exe command-line utility. Recent updates have added command-line capabilities for managing Windows Sandbox instances. The WSB.exe utility allows starting, listing, executing commands, sharing folders, stopping, and connecting to sandbox instances. The configuration can be passed as a string, avoiding the need for a WSB file artifact.
Command-Line Interface and Background Execution
The presenter demonstrates using the WSB.exe command to start a Windows Sandbox instance in the background. By passing the configuration as a string, the sandbox starts without displaying the window. The presenter then connects to the running instance using the ID provided by the start command. He also tests the execution of commands within the sandbox, such as running iexpress.exe, to validate the configuration.
Executing Commands and Monitoring Activity
The presenter demonstrates using the exec command to run charmap.exe within the sandbox, both as the existing login and as the system user. Running as system doesn't display the application, but it can be seen in the task manager. The presenter then opens the task manager on the host machine to look for any telltale signs of the sandbox activity. Processes like "Windows Sandbox remote session" and "Windows Sandbox server" are visible, providing potential indicators for tracking sandbox activity.
Forensic Indicators and Detection
The article discusses forensic indicators for tracking Windows Sandbox activity, including WSB files, operational logs, and sandbox processes. Executables like WindowsSandbox.exe and WindowsSandboxClient.exe are present in system32 once the feature is enabled. The presenter mentions that memory analysis could also reveal sandbox activity. He provides a link to the article for more details on forensic analysis.
Admin Privileges and Attack Surface
Enabling Windows Sandbox requires admin privileges, which are often available on personal devices. The presenter emphasizes the importance of understanding the attack surface offered by Windows Sandbox, especially the capability for malware to run undetected by antivirus. He also demonstrates adding a shared folder to a running sandbox instance using the WSB command, mapping the host's system32 directory to a sensitive folder within the sandbox.
Dynamic Shares and Sandbox Termination
The presenter demonstrates adding a shared folder to a running sandbox instance using the WSB command, mapping the host's system32 directory to a sensitive folder within the sandbox. He then shows that applications like Notepad can be run from the shared directory, even though they don't natively exist within the sandbox. Finally, he terminates the sandbox using the WSB stop command.
Conclusion: Creative Uses and Defense
The presenter concludes by highlighting the creative potential of using Windows Sandbox for both offensive and defensive purposes. By combining PowerShell or CMD scripts with persistence mechanisms, attackers can stage malware, prepare configurations, and move in and out of dynamic shares. Windows Sandbox can be used as a C2 or malware delivery opportunity without antivirus detection. The presenter encourages penetration testers, red teamers, and ethical hackers to add this tool to their toolkit, emphasizing the importance of understanding offensive techniques for effective defense.
