John Hammond Explores APT Groups Using Windows Sandbox for Sophisticated Attacks
In this video, John Hammond explores the use of Windows Sandbox by advanced persistent threat (APT) actors to conduct sophisticated attacks. He begins by recalling a March 2025 article published by Ito Cyber and Intelligence Incorporation, which details how the threat group Mirrorface exploited Windows Sandbox and Visual Studio Code for its attacks. Mirrorface, a subgroup of APT10, used a customized version of the open-source rat Lilith, called Lilim Rat, to check for the presence of the WDAG user folder, indicating that the malware is designed to operate only within the sandbox. Hammond explains that Windows Sandbox is a virtual machine isolated from the main operating system, allowing users to test files or experiment with potentially malicious software in a safe environment. He highlights that this feature is available on modern computers equipped with Windows 10 and Windows 11, requiring virtualization to be enabled in the BIOS. To activate Windows Sandbox, it is possible to use the graphical interface or PowerShell and CMD commands. One of the key advantages of Windows Sandbox for attackers is the absence of Windows Defender and other antivirus software, making malicious actions invisible. Hammond demonstrates how to configure Windows Sandbox to share folders, use the clipboard, and run specific commands at startup. He also shows how attackers can use WSB configuration files to set parameters such as folder sharing and command execution while avoiding detection by antivirus software. Hammond discusses the practical implications of these techniques for penetration testing and red teams, emphasizing the importance of understanding offensive tactics to improve defenses. He demonstrates how attackers can use Windows Sandbox to run malware, communicate with command and control (C2) servers via the Tor network, and perform operations on the host's file system without being detected. In conclusion, Hammond emphasizes the importance of monitoring and understanding the use of Windows Sandbox to strengthen system security. He encourages cybersecurity professionals to explore these techniques to better defend against advanced threats. For more information, watch the full video at the following address: https://www.youtube.com/watch?v=O20WhmCspqo