Windows Sandbox Abuse for Defense Evasion
The execution of Windows Sandbox processes with sensitive configurations (write access to the host file system, network connection, automatic execution via logon command) is identified, as malware may abuse this sandbox feature to evade detection.
Attackers are increasingly leveraging Windows Sandbox, a lightweight virtual environment, to evade detection. This technique involves configuring the sandbox with sensitive permissions, such as enabling network connections, granting write access to the host file system, and setting up automatic command execution via logon commands. This allows malware to operate within an isolated environment while still interacting with and potentially compromising the host system. The activity detected involves the execution of wsb.exe or WindowsSandboxClient.exe with specific command-line arguments, such as <Networking>Enable</Networking>, <HostFolder>C:\\<ReadOnly>false, and <LogonCommand>. Defenders need to be aware of this technique as it can effectively bypass traditional security measures that rely on monitoring host-based activities.
Attack Chain
- The attacker gains initial access to the system through an exploit or social engineering.
- The attacker deploys or gains access to
wsb.exeorWindowsSandboxClient.exe. - The attacker configures the Windows Sandbox with sensitive settings, including enabling network connections using
<Networking>Enable</Networking>or<NetworkingEnabled>true. - The attacker grants the sandbox write access to the host file system using the configuration parameter
<HostFolder>C:\\<ReadOnly>false. - The attacker sets up automatic command execution within the sandbox upon logon using the
<LogonCommand>parameter. - Malicious code is executed within the sandbox, leveraging the enabled network connection to download additional tools or exfiltrate data.
- The malicious code modifies files on the host system through the granted write access, potentially installing persistent backdoors or compromising system configurations.
- The attacker uses the sandbox environment to hide their activities, making detection more challenging due to the isolated nature of the environment.
Impact
Successful exploitation can lead to a compromised host system, despite the sandbox's intended isolation. Attackers can use this technique to bypass security controls, exfiltrate sensitive data, or establish persistent access to the system. The severity of the impact depends on the extent of access granted to the sandbox and the actions performed within it. Depending on the organization's security posture, a successful attack of this type can lead to significant data breaches and operational disruption.
Recommendation
- Deploy the "Windows Sandbox with Sensitive Configuration" rule to your SIEM to detect suspicious
wsb.exeorWindowsSandboxClient.exeprocess creation with sensitive command-line arguments (rule). - Investigate any alerts generated by the above rule, focusing on processes with command lines containing
<Networking>Enable</Networking>,<HostFolder>C:\\<ReadOnly>false, or<LogonCommand>(rule). - Monitor process creation events for
wsb.exeorWindowsSandboxClient.exeand their associated command-line arguments (log source: process_creation). - Implement network monitoring to identify any unusual network connections originating from Windows Sandbox processes (log source: network_connection).
- Review and restrict the use of Windows Sandbox in environments where it is not required to minimize the attack surface (policy).
Detection coverage 3
Windows Sandbox with Network Enabled
mediumDetects Windows Sandbox execution with network connectivity enabled.
Windows Sandbox with Host Folder Write Access
mediumDetects Windows Sandbox execution with write access to the host file system.
Windows Sandbox with Logon Command
mediumDetects Windows Sandbox execution with a specified logon command.
Detection queries are available on the platform. Get full rules →