Warning
This project is not affiliated with Microsoft, Mandiant/Google, or FLARE-VM.
This project leverages undocumented techniques to modify Microsoft's Windows Sandbox (WSB) base image and replace it with a FLARE VM.
To see FLARE-WSB in action and for more technical details, check out this blog post.
To quote one of Microsoft's suggested use cases for WSB:
Running Untrusted Applications: Mitigate security risks by opening untrusted applications or files, such as email attachments in WSB. Improve your safety and security by opening a sandbox with networking disabled and mapping the folder with the application or file you want to open to the sandbox in read-only mode.
The only problem is that if you want to do in-depth analysis on an untrusted application, the sandbox container is so ephemeral that you would need to re-install non-portable tools each time you start it. This can be automated, but depending on which tools you need it can be time-consuming, tedious, and often require internet access (not ideal when analyzing malware!)*
The FLARE-VM project is designed to run on a Windows virtual machine image and allows analysts to easily setup and maintain tools for reverse engineering and malware analysis on a persistent image. By leveraging the WSB CLI and some creative techniques, we can install FLARE VM within the Sandbox and ensure it persists by saving tools and relevant files to the WSB container's base layer.
Note
*Per Microsoft Documentation: when WSB networking is enabled it "can expose untrusted applications to the internal network"!
At a high-level, the install.ps1 script does the following:
- Identifies the Windows Sandbox base layer location on the host
- Shares the base layer with the Windows Sandbox
- Acquires the WDAGUtilityAccount password using
SandboxCommon.dllto share it with the FLARE installer - Starts the FLARE VM installer*
- Upon confirmation, copies relevant files to a writeable path on the base layer (currently
C:\Users\Public\Documents)
Once the install is complete, you can use flare-wsb.bat to launch your new WSB image. This will prompt you to provide some options and will automatically initiate post-install activities (mainly moving files).
- Windows Sandbox**
- Arm64 (for Windows 11, version 22H2 and later) or AMD64 architecture
- Virtualization capabilities enabled in BIOS
- At least 4 GB of RAM (8 GB recommended)
- At least 1 GB of free disk space (SSD recommended)
- At least two CPU cores (four cores with hyper-threading recommended)
- PowerShell 7
- The
install.ps1script will prompt you to install with WinGet
- The
Last confirmed working OS: Windows 11 Pro 26200.7462 (25H2)
Note
*The install script will use bin/config.xml (modified to comment out packages with known issues) and bin/LayoutModification.xml (unmodified). If you want to edit these files, please read: FLARE-VM Configuration.
Note
**After installing Windows Sandbox for the first time, you will need to run it on its own first to generate the base layer image.
- I have tried my best to make as many of the FLARE VM tools work in WSB as possible, but you may encounter incompatibilities. If you identify any, please create an issue on this repo.
- Files related to the FLARE VM tools will ultimately be stored on your host machine. This may trigger anti-virus alerts depending on the tool, and it is suggested that you add an AV exclusion to
C:\ProgramData\Microsoft\Windows\Containers\Layersor the base layer directory (the oldest modified folder).
- Mandiant/Google and the maintainers of FLARE-VM.
- Alex Ilgayev at Check Point with their Windows Sandbox research and the idea for this project.
- gerneio and their WindowsSandboxPlayground project for the WDAGUtilityAccount password retrieval technique and their collection of Windows Sandbox research.