Windows Sandbox with Sensitive Configuration

  1[metadata]
  2creation_date = "2025/04/14"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2025/07/07"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies Windows sanfbox processes indicating the start of a new container with sensitive configurations like write
 11access to the host file system, network connection and automatic execution via logon command. Malware may abuse the
 12sandbox feature to evade detection.
 13"""
 14from = "now-9m"
 15index = [
 16    "logs-endpoint.events.process-*",
 17    "winlogbeat-*",
 18    "logs-windows.sysmon_operational-*",
 19    "endgame-*",
 20    "logs-m365_defender.event-*",
 21    "logs-sentinel_one_cloud_funnel.*",
 22    "logs-crowdstrike.fdr*",
 23]
 24language = "eql"
 25license = "Elastic License v2"
 26name = "Windows Sandbox with Sensitive Configuration"
 27note = """ ## Triage and analysis
 28
 29> **Disclaimer**:
 30> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 31
 32### Investigating Windows Sandbox with Sensitive Configuration
 33
 34Windows Sandbox is a lightweight virtual environment designed to safely run untrusted applications. It isolates processes from the host system, preventing permanent changes. However, adversaries can exploit this by configuring the sandbox to access host resources, enabling network connections, or executing commands at startup. The detection rule identifies such misuse by monitoring specific process activities and configurations indicative of potential abuse, such as unauthorized file system access or network enablement, helping analysts spot and mitigate threats effectively.
 35
 36### Possible investigation steps
 37
 38- Review the process details for "wsb.exe" or "WindowsSandboxClient.exe" to confirm the start of a new container and check for any unusual command-line arguments that match the query criteria, such as "<Networking>Enable</Networking>" or "<NetworkingEnabled>true>".
 39- Investigate any file system access attempts by the sandbox, particularly focusing on write access to the host file system indicated by "<HostFolder>C:\\<ReadOnly>false". Determine if any unauthorized or suspicious files have been modified or created.
 40- Examine network activity associated with the sandbox process to identify any unexpected or unauthorized connections, especially if "<NetworkingEnabled>true>" is present in the command line.
 41- Check for any logon commands executed by the sandbox process using "<LogonCommand>" in the command line to identify potential persistence mechanisms or automated tasks that could indicate malicious intent.
 42- Correlate the sandbox activity with other security alerts or logs from data sources like Elastic Endgame, Sysmon, or Microsoft Defender for Endpoint to gather additional context and identify any related suspicious activities.
 43
 44### False positive analysis
 45
 46- Legitimate software installations or updates may configure the Windows Sandbox to enable network connections or access host resources. Users can create exceptions for known software update processes to prevent unnecessary alerts.
 47- Developers and IT administrators might use Windows Sandbox for testing purposes, which could involve enabling network connections or accessing host files. Establishing a list of approved users or processes that frequently perform these actions can help reduce false positives.
 48- Automated scripts or tools that configure the sandbox for legitimate purposes, such as testing or development, may trigger the rule. Identifying and excluding these scripts from monitoring can minimize false alerts.
 49- Security tools or system management software might use sandbox features for legitimate operations. Users should verify and whitelist these tools to avoid misidentification as threats.
 50
 51### Response and remediation
 52
 53- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
 54- Terminate any suspicious processes identified by the detection rule, specifically those related to Windows Sandbox misuse, such as "wsb.exe" or "WindowsSandboxClient.exe".
 55- Conduct a thorough review of the system's file system and network logs to identify any unauthorized access or data transfers that may have occurred.
 56- Remove any unauthorized configurations or scripts found within the Windows Sandbox environment that enable network connections or host file system access.
 57- Restore the system to a known good state using backups or system restore points, ensuring that any malicious changes are reversed.
 58- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 59- Implement enhanced monitoring and alerting for similar suspicious activities, focusing on process creation and command-line parameters related to Windows Sandbox configurations.
 60"""
 61references = ["https://blog-en.itochuci.co.jp/entry/2025/03/12/140000"]
 62risk_score = 47
 63rule_id = "56d9cf6c-46ea-4019-9c7f-b1fdb855fee3"
 64severity = "medium"
 65tags = [
 66    "Domain: Endpoint",
 67    "OS: Windows",
 68    "Use Case: Threat Detection",
 69    "Tactic: Defense Evasion",
 70    "Data Source: Elastic Endgame",
 71    "Data Source: Elastic Defend",
 72    "Data Source: Sysmon",
 73    "Data Source: Microsoft Defender for Endpoint",
 74    "Data Source: SentinelOne",
 75    "Data Source: Crowdstrike",
 76    "Resources: Investigation Guide",
 77]
 78timestamp_override = "event.ingested"
 79type = "eql"
 80
 81query = '''
 82process where host.os.type == "windows" and event.type == "start" and
 83  process.name : ("wsb.exe", "WindowsSandboxClient.exe") and
 84  process.command_line : ("*<Networking>Enable</Networking>*",
 85                          "*<HostFolder>C:\\*<ReadOnly>false*",
 86                          "*<LogonCommand>*",
 87                          "*<NetworkingEnabled>true*")
 88'''
 89
 90
 91[[rule.threat]]
 92framework = "MITRE ATT&CK"
 93[[rule.threat.technique]]
 94id = "T1564"
 95name = "Hide Artifacts"
 96reference = "https://attack.mitre.org/techniques/T1564/"
 97[[rule.threat.technique.subtechnique]]
 98id = "T1564.006"
 99name = "Run Virtual Instance"
100reference = "https://attack.mitre.org/techniques/T1564/006/"
101
102
103
104[rule.threat.tactic]
105id = "TA0005"
106name = "Defense Evasion"
107reference = "https://attack.mitre.org/tactics/TA0005/"