Skip to content

Process Isolation Tests (HARD-PROCESS)

Validate that sandboxed processes cannot interact with or control host processes, and that child processes inherit denials.

Objectives

  • Deny host process control and memory access.
  • Ensure child processes inherit network/data motion/device denials.

Test Scenarios

IDTest ScenarioProcedureExpected Outcome
HARD-PROCESS-01Kill Host Process1. App: taskkill /F /IM explorer.exe.Pass: "Access Denied" or process not found.
HARD-PROCESS-02Memory Dump1. App: Tool like procdump on a host process ID.Pass: Cannot open process / Access Denied.
HARD-PROCESS-03Clipboard Sniffing1. Host: Copy "Password".
2. App: Run clipboard monitor loop.
Pass: App sees empty clipboard (when inbound clip denied).
HARD-PROCESS-04Child Process Inheritance1. App: Allow cmd.exe, Deny Network.
2. App: Run curl (child).
Pass: Child process inherits network block.

Tools & Commands

Use the following Sysinternals tools to validate isolation boundaries.

Handle.exe

Verify that the sandboxed process cannot see host process handles.

  1. Launch a command prompt inside the sandbox: turbo run <image> -- cmd.
  2. Run handle.exe -p <Host_PID> against a known host process (for example, lsass.exe or winlogon.exe).
  3. Expected Result: "Access Denied" or "No matching handles found". The sandboxed environment should prevent handle enumeration of high-integrity host processes.

AccessChk

Verify write permissions on sensitive host directories (e.g., C:\Windows).

  1. Launch the sandbox with cmd.exe.
  2. Run accesschk.exe -w -s -q -u <User> C:\Windows.
  3. Expected Result: No output indicating write permissions, or explicit "Access Denied" messages when attempting to write. The sandbox overlay should capture writes, or the ACLs should prevent modification of the underlying host path.

Process Explorer

Visually verify the AppContainer or Low Integrity status of the child processes.

  1. Run Process Explorer as Administrator on the host.
  2. Locate the sandboxed application process tree (typically under turbo-launcher.exe or vm-daemon.exe depending on isolation mode).
  3. Right-click the process > Properties > Security tab.
  4. Expected Result:
    • Integrity Level: Low or Untrusted.
    • AppContainer: Present (if AppContainer isolation is enabled).
    • Virtualization: Enabled (if applicable).

Evidence Requirements

  • Audit entries for denied process access and child process operations, including category, action, and outcome.

Troubleshooting

  • Confirm tests target host processes (for example, explorer.exe) from inside the sandbox for expected access denials.
  • Ensure child process inheritance tests use a child that attempts the denied capability (network, clipboard, device).

Known Limitations & Negative Space

  • Kernel-level memory inspection tools may present varying behaviors; validate with supported toolsets.
  • Interactions between EDR and sandbox controls can mask errors; cross-check host logs when results are ambiguous.