1

Windows 10 has a new sandbox which is based on a very small and fast Hyper-V VM. With every start of the sandbox you get a "fresh" Windows and on every sandbox termination, all changes are discarded.

My question is: Is it possible to define in which state the sandbox starts? E.g. is it possible to start the VM with pre-installed reversing tools or a script that is automatically run, as soon as the system is booted?

Use case: Due to it's fast start-up time and "throw away" characteristics, the Windows 10 sandbox would be a dream for automated malware analysis.

StayOnTarget
  • 11,743
  • 10
  • 52
  • 81
secana
  • 671
  • 6
  • 15

2 Answers2

0

You can somehow change the behavior of the sandbox. For example run a script at start up or disable network. See here for a how to: https://medium.com/@maarten.goet/how-windows-1903-makes-malware-analysis-easier-introducing-windows-sandbox-3ec791c8367

secana
  • 671
  • 6
  • 15
  • I suggest adding some details from that external link to the answer... eventually that link will die and the answer won't be useful anymore. – StayOnTarget Oct 28 '22 at 12:42
0

In general, sandbox startup can be controlled by a startup configuration file:

Windows Sandbox supports simple configuration files, which provide a minimal set of customization parameters for Sandbox. ... Windows Sandbox configuration files are formatted as XML and are associated with Sandbox via the .wsb file extension.

The specific ability to execute a script upon sandbox startup is documented here: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file#logon-command

It says:

Logon command

Specifies a single command that will be invoked automatically after the sandbox logs on. Apps in the sandbox are run under the container user account. The container user account should be an administrator account.

XML

<LogonCommand>
  <Command>command to be invoked</Command>
</LogonCommand>

Command: A path to an executable or script inside the container that will be executed after signing in.

Note

Although very simple commands will work (such as launching an executable or script), more complicated scenarios involving multiple steps should be placed into a script file. This script file may be mapped into the container via a shared folder, and then executed via the LogonCommand directive.

StayOnTarget
  • 11,743
  • 10
  • 52
  • 81