Wsb-Detect - Tool To Detect If You Are Running In Windows Sandbox ("WSB")

Wsb-Detect - Tool To Detect If You Are Running In Windows Sandbox ("WSB")
2020-11-25 20:30:00 Author: www.blogger.com(查看原文) 阅读量:189 收藏

tag:blogger.com,1999:blog-8317222231133660547.post-82187829377241335672020-11-25T08:30:00.007-03:002020-11-25T08:30:09.735-03:00Wsb-Detect - Tool To Detect If You Are Running In Windows Sandbox ("WSB")<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-gtvW86fMx64/X73LNPnTl2I/AAAAAAAAUd4/Yfqdx1AD_GkiPcc7U9Wq3dCHj9f1pO1iwCNcBGAsYHQ/s305/wsb-detect_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="165" data-original-width="305" src="https://1.bp.blogspot.com/-gtvW86fMx64/X73LNPnTl2I/AAAAAAAAUd4/Yfqdx1AD_GkiPcc7U9Wq3dCHj9f1pO1iwCNcBGAsYHQ/s16000/wsb-detect_1.png" /></a></div> wsb-detect enables you to detect if you are running in Windows Sandbox ("WSB"). The sandbox is used by <a href="https://www.kitploit.com/search/label/Windows%20Defender" target="_blank" title="Windows Defender">Windows Defender</a> for dynamic analysis, and commonly manually by security analysts and alike. At the tail end of 2019, Microsoft introduced a new feature named Windows Sandbox (WSB for short). The techniques used to <a href="https://www.kitploit.com/search/label/Fingerprint" target="_blank" title="fingerprint">fingerprint</a> WSB are outlined below, in the techniques section. Feel free to submit a pull request if you have any <a href="https://www.kitploit.com/search/label/Fingerprinting" target="_blank" title="fingerprinting">fingerprinting</a> ideas. I've been messing around with it now and then, I will have more on Windows Sandbox coming soon.<a name='more'></a> Windows Sandbox allows you to quickly, within 15s, create a disposable Hyper-V based <a href="https://www.kitploit.com/search/label/Virtual%20Machine" target="_blank" title="Virtual Machine">Virtual Machine</a> with all of the qualities a familiar VM would have such as clipboard sharing, mapping directories etc. The sandbox is also the underlay for Microsoft Defender Application Guard (WDAG), for <a href="https://www.kitploit.com/search/label/Dynamic%20Analysis" target="_blank" title="dynamic analysis">dynamic analysis</a> on Hyper-V enabled hosts and can be enabled on any Windows 10 Pro or Enterprise machine. It's not particularly interesting, but nonetheless could prove useful in implant development. Thank you to my friend <a href="https://twitter.com/jonasLyk" rel="nofollow" target="_blank" title="Jonas L">Jonas L</a> for guidance when I was exploring the sandbox internals (more to come on this). Usage The <code>detect.h</code> header exports all of the functions which can be combined to detect if <div><pre><code>#include <stdio.h> #include "detect.h" int main(int argc, char** argv) { // example vmsmb & username check if (wsb_detect_dev() || wsb_detect_username()) { puts("We're in Windows Sandbox!"); return 0; } return 1; }</code></pre></div> Techniques <code>wsb_detect_time</code> The image for the sandbox seems to be built on <code>Saturday, ‎December ‎7, ‎2019, ‏‎9:14:52 AM</code> - this is around the time Windows Sandbox was released to the public. This check cross references the creation timestamp on the <code>mountmgr</code> driver. <code>wsb_detect_username</code> This method will check if the current username is <code>WDAGUtilityUserAccount</code>, the account used by default in the sandbox. <code>wsb_detect_suffix</code> This method will use <code>GetAdaptersAddresses</code>, walk over the list of adapters, and compare the DNS suffix to <code>mshome.net</code> - which is used by default in the sandbox. <code>wsb_detect_dev</code> Checks if the raw device <code>\\.\GLOBALROOT\device\vmsmb</code> can be opened, which is used for communication with the host over SMB. <code>wsb_detect_cmd</code> On startup, search under the <code>RunOnce</code> key in <code>HKEY_LOCAL_MACHINE</code> for a command which sets the password never to expire. <code>wsb_detect_office</code> Checks for the <code>OfficePackagesForWDAG</code> in the current root drive, which seems to be used for Windows Defender Microsoft Office emulation. <code>wsb_detect_proc</code> Checks for <code>CExecSvc.exe</code>, which is the container execution service, handling a lot of the heavy lifting. <code>wsb_detect_genuine</code> A more generic method when it comes to sandbox detection, however from tests the Windows doesn't seem to be verified as legitimate in the VMs Trivia If you wish to contact me quicker, feel free to contact me on <a href="https://twitter.com/LloydLabs" rel="nofollow" target="_blank" title="Twitter">Twitter</a> or <a href="mailto:[email protected]" rel="nofollow" target="_blank" title="e-mail">e-mail</a>. Also, it's possible on the host to detect if the sandbox is running, by checking if you can create a mutex named <code>WindowsSandboxMutex</code>. This limits the sandbox to one virtual-machine per host, however, you can release this mutex by simply duplicating the handle and calling <code>ReleaseMutex</code> - viola, you can have multiple instances. <div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-DPbnzPQPTFI/X73LWBjrL_I/AAAAAAAAUd8/-Owp_KzcT5oaP1cW-o6t0Xyj63NOOdwcgCNcBGAsYHQ/s305/wsb-detect_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="165" data-original-width="305" src="https://1.bp.blogspot.com/-DPbnzPQPTFI/X73LWBjrL_I/AAAAAAAAUd8/-Owp_KzcT5oaP1cW-o6t0Xyj63NOOdwcgCNcBGAsYHQ/s0/wsb-detect_1.png" /></a></div> <div style="text-align: center;"><a class="kiploit-download" href="https://github.com/LloydLabs/wsb-detect" rel="nofollow" target="_blank" title="Download Wsb-Detect">Download Wsb-Detect</a></div>Zion3R[email protected]

文章来源: http://www.blogger.com/feeds/8317222231133660547/posts/default/8218782937724133567
如有侵权请联系:admin#unsafe.sh