how to create a hyperv sandbox environment

Bottom-line: Great, lightweight virtual machine for quickly testing suspicious emails, links, and files on Windows 10, but very little versatility and without features common to most VMs.

After attending my latest webinar on forensically examining phishing (https://info.knowbe4.com/phishing-forensics?hsLang=en), some attendees recommended I take a look at Windows 10 Sandbox, a new lightweight virtual machine (VM) created by Microsoft for quickly testing potentially rogue content. Unlike my recent review of the Outlook Mr. Post add-in (https://www.linkedin.com/pulse/my-review-mr-post-outlook-phish-checking-add-in-roger-grimes), I really like the Windows 10 Sandbox and recommend it as long as you are aware of its limitations.

 Microsoft released the new Windows Sandbox feature in December 2018 with Windows 10 Pro or Enterprise Insider build 18305 (https://techcommunity.microsoft.com/t5/windows-kernel-internals/windows-sandbox/ba-p/301849). If you want to use it you'll need that version of (Professional or Enterprise editions) build 18305 (Insider builds)/1903 (Production builds) or newer, a 64-bit processor, and your hardware virtualization functionality enabled in your BIOS/EFI boot configuration, plus the normal memory and storage requirements.

Installing Windows Sandbox

Make sure you have hardware virtualization enabled. There are lots of ways to check this, but the quickest is to kick off Task Manager, click on the Performance tab and look for the Virtualization option to be Enabled (see below).

If it isn't enabled, you'll need to make sure virtualization hardware is enabled in the BIOS/EFI boot configuration and the following services and technologies enabled in Windows:

• Hyper-V
• Hyper-V Host Compute Service
• Data Execution Prevention
• Second Level Address Translation (VT-d or RVI)
• Virtualization Technology
• VM Monitor Mode Extensions

To see if you have the right version of Windows open up the Turn Windows features on or off feature and if it is installed (and allowed by management), it should show up as a separate feature called Windows Sandbox (see below).

If it is not enabled, enable the related check box, let it install, and reboot when it is all over.

Launching Windows Sandbox

You should then have a new app and icon that looks like below.

If you click on the app, you'll see the following screen begin to launch before the full VM is shown below.

Then the full VM will be displayed (see below).

Using Windows Sandbox

It starts up booted in stand-alone workgroup mode, and auto-logs in using a newly created member of the local Administrators group called WDAGUtility. It is created by a script using the NET USE commands, which also gives it a password and adds it to the local Administrators group. User Account Control (UAC) is not enabled.

WDAGUtility is a static name, but the password associated with it, that you never have to enter unless you intentionally perform an action requiring the password is randomly created and changed during every boot up. You can see what the password is by looking for Event 25000 in the Windows Event Viewer folder, Microsoft-Windows-Hyper-V-Compute/Operational (see example screenshot of NET USE command and long and random password below).

The built-in Administrator, Guest, and something called the DefaultAccount accounts are also created and disabled by default. The built-in local security groups are present. You can create more users and groups and manipulate them like you normally would.

 The sandbox is a copy of your Windows image without any user modifications or added applications. Microsoft Edge and Internet Explorer are there. Your favorites and documents will not be there. Microsoft Office and applications are not loaded and can't be easily loaded, because Office now requires that UAC be enabled. Windows Defender, the Microsoft anti-malware program, is not enabled and can't be enabled, although you can install a third-party anti-malware program. Windows Defender Firewall is enabled. You can install other programs, although not all programs will load because of different issues. You can copy files to and from the guest and host using Edit/Copy Edit/Paste and File Explorer. Drag and drop does not work. Cmd.exe is available and works, as are most command-line programs and local Windows management consoles. Your mouse cursor and keyboard commands work seamlessly when on the guest image and when back focused on the host. The guest has access to the Internet through a newly created virtual Ethernet interface installed on both the guest and the host. Remote computers see all network information as if it is coming from the host including MAC address.

Any time you close the guest you will get the prompt below and lose any and all changes to and programs installed on the VM. When you re-start the VM you will have a new clean image as if you never loaded it before or made any changes. There is no way to change this.

Security

As best as I can read from the developer's first public post on Windows Sandbox (https://techcommunity.microsoft.com/t5/windows-kernel-internals/windows-sandbox/ba-p/301849), although it uses hardware-based hypervisor to run, there is absolutely shared resources (e.g. code, memory, etc.) with the underlying host OS. I'm sure Microsoft has absolutely done their threat modeling on this decision, but it's different than most full-featured VM software programs, and could lead to guest-to-host or host-to-guest malicious co-mingling if the right circumstances happen. Still, the risk is fairly low overall. Just know that the virtualized separation isn't as clean as you find in Microsoft's own Hyper-V application and other popular competitors, like Vmware.

 Despite some co-mingling of resources, probably 99.9999% of what you can find out there will be limited to your sandbox unless you do something crazy to intentionally leak an issue between systems. Here's a Youtube video of someone firing off a very destructive malware program in Windows sandbox and not worrying: https://www.youtube.com/watch?v=xxqKizvZKt4.

Use as a Forensic Sandbox

Windows Sandbox is great as a quick environment to run something you aren't sure about, but it has no built-in forensic examination tools beyond what a clean copy of Windows might have. And it can't permanently store your favorite forensic tools for examining content. If I was you, I'd build a folder on the host with all your favorite tools and applications, that way you can copy them back to the new sandbox image in one swell swoop. It will at least save your download and install time.

Update (2/25/20): An alert reader knew about a way to create a configuration file that would allow all new Windows Sandbox VMs to be configured on the fly with folders shared between the host and the guest VM (where you can store your forensic tools), startup scripts, and other startup configuration changes: https://techcommunity.microsoft.com/t5/windows-kernel-internals/windows-sandbox-config-files/ba-p/354902.

Pros:

Here are some good things about Windows Sandbox as compared to full VM competitors:

·        No additional licensing needed for guest use

·        Quick install and reboot

·        Quick to launch, it's just an app (no VM image to create or find, configure, or load)

·        Can install most apps and connect to the Internet

·        Easy to copy files into and out of the sandbox when needed

·        Always resets when it closes

·        Uses hardware-based virtualization for running and isolation

·        Seamless cursor control

Cons:

Here are some cons of Windows Sandbox as compared to more feature-rich VM competitors:

·        Only runs one operating system, Windows 10

·        Doesn't run on Home versions of Windows

·        Can only run one instance

·        Does not allow virtual networking, isolation, etc.

·        Doesn't allow you to save changes, so can't permanently add forensic tools you would like to have (you must re-add them each time)

·        You can install drivers and programs, but not ones that require reboots

·        No way to hide that it's a sandbox for malware that looks for the tell-tale clues

·        You cannot add any Windows features within the gues, like it took to get Windows Sandbox up and running

·        Password is visible in plaintext in host event log

·        Windows Defender is disabled and can't be installed, but you can download and run other programs

·        Can't install software that requires User Account Control (UAC) to be enabled

·        Lots of app for various reasons cannot be installed or run

Bottomline: Windows 10 Sandbox is great for quick, relatively safe checks, but can't replace a fully functional VM like Microsoft Hyper-V, Vmware, Oracle Virtualbox, etc. As compared to other common sandbox apps, it's better than free Sandboxie but not nearly as feature rich as Bromium. I've also read about Acronis Try & Decide (a feature of Acronis True Image), Comodo Containment (a feature of Comodo security products), DeepFreeze, and Turbo.net, and used Amazon Workspaces, but I don't know how they compare feature or security-wise.

how to create a hyperv sandbox environment

Source: https://www.linkedin.com/pulse/windows-10-sandbox-forensics-vm-roger-grimes

Posted by: marcucciancessitere.blogspot.com

Share this post