365labs - Microsoft 365 and cybersecurity consultancy

View Original

Windows Sandbox

Ewan Hobbs

Windows Sandbox is lightweight non-persistent desktop environment (sandbox) where applications and documents can be opened, tested and analysed before allowing them into a production scenario. As a temporary environment the installed software, data and system state are deleted when the sandbox is shutdown. Each time a new instance of the sandbox is created you get a brand new desktop environment. This negates the need to use separate virtualisation software which often requires far more time and resources to setup.

With the release of Windows 11 build 22509 there is persistence between reboots that are initiated from within the sandbox which is useful when software installations require a reboot to complete.

This feature is available within Windows 10/11 Pro, Enterprise and Education. All said it is not best practice to be conducting malware analysis or detonation on production machines or networks or Privileged Access Workstations.

Run this from an elevated PowerShell to install the additional feature followed by a reboot:

Enable-WindowsOptionalFeature -Online -FeatureName "Containers-DisposableClientVM" -All

The Sandbox app should now be available on the Start menu.

Creating a configuration file

Use an editor like notepad, Notepad++ or Visual Studio code to create a new file.

<Configuration>

</Configuration>

Add your configuration options between the two configuration elements. Save the file with a .wsb file extension. You can then double click (or invoke from PowerShell or CMD) the wsb file to launch a sandbox instance with that configuration.

Additional configuration and further information

Protected client

Increases security settings on the RDP connection used to access the sandbox. If testing malware or potentially malicious software you should probably enable this. It is not enabled by default.

Apply additional security settings on the RDP session to the sandbox:

<ProtectedClient>value</ProtectedClient>

Networking

Networking can be disabled if required. It is enabled by default.

Enable or disable network access within the sandbox:

<Networking>value</Networking>

Resources

You can disable the virtualised GPU and use Windows Advanced Rasterization Platform (WARP) instead. vGPU requires a compatible GPU and graphics drivers (WDDM 2.5 or newer) so in this case disabling the vGPU altogether might resolve graphics issues. The amount of memory (in MB) allocated to the sandbox can also be configured.

Enable or disable the virtualized GPU:

<vGPU>value</vGPU>

Assign the memory to the sandbox:

<MemoryInMB>value</MemoryInMB>

Logon command

Configures the sandbox to execute a command at logon. This can be used to install software, change settings, run PowerShell scripts to install features etc.

Execute a command when the Windows Sandbox starts:

<LogonCommand>
  <Command>command to be invoked</Command>
</LogonCommand>

Redirections

Redirection of printers, clipboard, video (webcam etc), audio and folder mapping are additional features. These features potentially increase the attack surface of the host so probably should not be configured as default.

Share folders from the host with read or write permissions:

<MappedFolders>
  <MappedFolder>
    <HostFolder>path to the host folder</HostFolder>
    <SandboxFolder>path to the sandbox folder</SandboxFolder>
    <ReadOnly>value</ReadOnly>
  </MappedFolder>
</MappedFolders>

Share the host’s microphone input into the sandbox:

<AudioInput>value</AudioInput>

Share the host’s webcam input into the sandbox:

<VideoInput>value</VideoInput>

Share printers from the host into the sandbox:

<PrinterRedirection>value</PrinterRedirection>

Share the host clipboard within the sandbox:

<ClipboardRedirection>value</ClipboardRedirection>

Example

This disables the vGPU and Networking and maps the local downloads folder on the host to the sandbox. It then invokes Explorer to load the Downloads folder at logon.

<Configuration>
<vGPU>Disable</vGPU>
<Networking>Disable</Networking>
<MappedFolders>
   <MappedFolder>
     <HostFolder>C:\Users\Public\Downloads</HostFolder>
     <ReadOnly>true</ReadOnly>
   </MappedFolder>
</MappedFolders>
<LogonCommand>
   <Command>explorer.exe C:\users\WDAGUtilityAccount\Desktop\Downloads</Command>
</LogonCommand>
</Configuration>

Source: Microsoft.com

See this gallery in the original post