Running NetworkMiner in Windows Sandbox

NetworkMiner can be run in a highly efficient Windows Sandbox in order to analyze malicious PCAP files in Windows without accidentally infecting your Windows PC. This blog post shows how to set up a Windows Sandbox that always boots up a fresh install of Windows 10 with the latest version of NetworkMiner installed.

I generally recommend analyzing Windows malware in Linux, or some other non-Windows environment, in order to avoid accidentally infecting yourself (NetworkMiner runs fine in Linux btw). Nevertheless, I still often find myself loading capture files containing malicious network traffic into CapLoader and NetworkMiner under Windows. I have previously demonstrated that this can be a quick and crude way to perform an anti virus scan of files contained in a pcap file.

Windows Sandbox

If you want to analyze malicious traffic in Windows with minimal risk of infecting yourself then you should definitely check out Microsoft’s Windows Sandbox (available in Windows 10 Pro and Enterprise editions). The Windows Sandbox is using Windows containers, so it’s very efficient compared to spinning up a full Windows VM. It also provides features like kernel isolation, so that the sandbox container doesn’t use the same kernel as the host, and ensures that a new Windows environment is created every time the sandbox is run. Windows Sandbox also doesn't run any anti-virus, so it won't interfere with the extraction of malicious contents from within the analyzed capture files.

Follow these steps to install Windows Sandbox:

  1. Run OptionalFeatures.exe (the “Turn Windows features on or off” window)
  2. Enable the “Windows Sandbox” feature (check the box)
  3. Reboot

Then create a sandbox config, which downloads and installs the latest version of NetworkMiner every time the sandbox is started, by creating a file called “NetworkMinerSandbox.wsb” with the following contents:

<Configuration>
  <MappedFolders>
    <MappedFolder>
      <!-- Replace path below with your PCAP dir -->
      <HostFolder>C:\Users\Erik\pcap</HostFolder>
      <ReadOnly>true</ReadOnly>
    </MappedFolder>
  </MappedFolders>
  <LogonCommand>
    <Command>cmd.exe /C "curl -L https://www.netresec.com/?download=NetworkMiner | tar -C C:\Users\WDAGUtilityAccount\Desktop\ -xf -"</Command>
  </LogonCommand>
</Configuration>

Note: Replace “C:\Users\Erik\pcap” with whatever location your capture files are at

After starting NetworkMinerSandbox.wsb you’ll have a fresh Windows machine up and running within a couple of seconds. The latest version of NetworkMiner and your PCAP dir are both accessible from the sandbox’s desktop.

Windows Sandbox

Image: NetworkMiner 2.6 installed in a clean Windows Sandbox environment

Moving files in or out of the sandbox is just a matter of copy and paste (Ctrl+C / Ctrl+V).

VirtualBox and Windows Sandbox

VirtualBox error message Cannot enable nested VT-x/AMD-V without nested-paging and unrestricted guest execution

Are you using VirtualBox to run virtual machines on your Windows host and getting an error message saying “Cannot enable nested VT-x/AMD-V without nested-paging and unrestricted guest execution” after enabling Windows Sandbox?

Even though Windows Sandbox doesn’t need Hyper-V it still requires a hypervisor, which unfortunately conflicts with VirtualBox. You can disable the hypervisor by running the following command as administrator:

bcdedit.exe /set hypervisorlaunchtype off

...and then rebooting the computer before starting a VirtualBox VM with “nested VT-x” enabled. Turning off the hypervisor will unfortunately prevent Windows Sandbox from running, giving an error message saying “No hypervisor was found. Please enable hypervisor support.”

Windows Sandbox error message No hypervisor was found. Please enable hypervisor support.

To re-enable the hypervisor, in order to run Windows Sandbox again, you’ll need to run

bcdedit.exe /set hypervisorlaunchtype auto

and reboot the host.

Update May 26, 2021

We have now uploaded a simple Windows Sandbox config to our website here:

https://www.netresec.com/?download=NetworkMinerSandbox

This script runs on any Windows Pro machine that has the Sandbox feature active.

Posted by Erik Hjelmvik on Tuesday, 11 May 2021 13:39:00 (UTC/GMT)

Tags: #Netresec #NetworkMiner #PCAP #Windows #Sandbox #Windows Sandbox #Malware

More... Share  |  Facebook   Twitter   Reddit   Hacker News Short URL: https://netresec.com/?b=215d5b5

twitter

NETRESEC on Twitter

Follow @netresec on twitter:
» twitter.com/netresec


book

Recommended Books

» The Practice of Network Security Monitoring, Richard Bejtlich (2013)

» Applied Network Security Monitoring, Chris Sanders and Jason Smith (2013)

» Network Forensics, Sherri Davidoff and Jonathan Ham (2012)

» The Tao of Network Security Monitoring, Richard Bejtlich (2004)

» Practical Packet Analysis, Chris Sanders (2017)

» Windows Forensic Analysis, Harlan Carvey (2009)

» TCP/IP Illustrated, Volume 1, Kevin Fall and Richard Stevens (2011)

» Industrial Network Security, Eric D. Knapp and Joel Langill (2014)