Windows Sandbox with Sensitive Configuration

calendar May 6, 2025 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Defense Evasion Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Sysmon Data Source: Microsoft Defender for Endpoint Data Source: SentinelOne Data Source: Crowdstrike  ·
Share on: linkedin copy

Identifies Windows sanfbox processes indicating the start of a new container with sensitive configurations like write access to the host file system, network connection and automatic execution via logon command. Malware may abuse the sandbox feature to evade detection.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2025/04/14"
 3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 4maturity = "production"
 5updated_date = "2025/04/14"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies Windows sanfbox processes indicating the start of a new container with sensitive configurations like write
11access to the host file system, network connection and automatic execution via logon command. Malware may abuse the
12sandbox feature to evade detection.
13"""
14from = "now-9m"
15index = [
16    "logs-endpoint.events.process-*",
17    "winlogbeat-*",
18    "logs-windows.sysmon_operational-*",
19    "endgame-*",
20    "logs-m365_defender.event-*",
21    "logs-sentinel_one_cloud_funnel.*",
22    "logs-crowdstrike.fdr*",
23]
24language = "eql"
25license = "Elastic License v2"
26name = "Windows Sandbox with Sensitive Configuration"
27references = ["https://blog-en.itochuci.co.jp/entry/2025/03/12/140000"]
28risk_score = 47
29rule_id = "56d9cf6c-46ea-4019-9c7f-b1fdb855fee3"
30severity = "medium"
31tags = [
32    "Domain: Endpoint",
33    "OS: Windows",
34    "Use Case: Threat Detection",
35    "Tactic: Defense Evasion",
36    "Data Source: Elastic Endgame",
37    "Data Source: Elastic Defend",
38    "Data Source: Sysmon",
39    "Data Source: Microsoft Defender for Endpoint",
40    "Data Source: SentinelOne",
41    "Data Source: Crowdstrike"
42]
43timestamp_override = "event.ingested"
44type = "eql"
45
46query = '''
47process where host.os.type == "windows" and event.type == "start" and
48  process.name : ("wsb.exe", "WindowsSandboxClient.exe") and
49  process.command_line : ("*<Networking>Enable</Networking>*",
50                          "*<HostFolder>C:\\*<ReadOnly>false*",
51                          "*<LogonCommand>*",
52                          "*<NetworkingEnabled>true*")
53'''
54
55
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58[[rule.threat.technique]]
59id = "T1564"
60name = "Hide Artifacts"
61reference = "https://attack.mitre.org/techniques/T1564/"
62[[rule.threat.technique.subtechnique]]
63id = "T1564.006"
64name = "Run Virtual Instance"
65reference = "https://attack.mitre.org/techniques/T1564/006/"
66
67
68
69[rule.threat.tactic]
70id = "TA0005"
71name = "Defense Evasion"
72reference = "https://attack.mitre.org/tactics/TA0005/"

References

  • Hack The Sandbox: Unveiling the Truth Behind Disappearing Artifacts

    Introduction About Windows Sandbox Windows Enable Windows Sandbox Default user Windows Defender settings Configuration file (.wsb) Virtual Hard Disk (VHDX) The attack methods Emerging threats Monitoring and Investigation for Windows Sandbox Monitoring Monitoring for host machine and network Monitori…


    Read More

Related rules

to-top