Appearance
Process Isolation Tests (HARD-PROCESS)
Validate that sandboxed processes cannot interact with or control host processes, and that child processes inherit denials.
Objectives
- Deny host process control and memory access.
- Ensure child processes inherit network/data motion/device denials.
Test Scenarios
| ID | Test Scenario | Procedure | Expected Outcome |
|---|---|---|---|
| HARD-PROCESS-01 | Kill Host Process | 1. App: taskkill /F /IM explorer.exe. | Pass: "Access Denied" or process not found. |
| HARD-PROCESS-02 | Memory Dump | 1. App: Tool like procdump on a host process ID. | Pass: Cannot open process / Access Denied. |
| HARD-PROCESS-03 | Clipboard Sniffing | 1. Host: Copy "Password". 2. App: Run clipboard monitor loop. | Pass: App sees empty clipboard (when inbound clip denied). |
| HARD-PROCESS-04 | Child Process Inheritance | 1. App: Allow cmd.exe, Deny Network.2. App: Run curl (child). | Pass: Child process inherits network block. |
Tools & Commands
Use the following Sysinternals tools to validate isolation boundaries.
Handle.exe
Verify that the sandboxed process cannot see host process handles.
- Launch a command prompt inside the sandbox:
turbo run <image> -- cmd. - Run
handle.exe -p <Host_PID>against a known host process (for example,lsass.exeorwinlogon.exe). - Expected Result: "Access Denied" or "No matching handles found". The sandboxed environment should prevent handle enumeration of high-integrity host processes.
AccessChk
Verify write permissions on sensitive host directories (e.g., C:\Windows).
- Launch the sandbox with
cmd.exe. - Run
accesschk.exe -w -s -q -u <User> C:\Windows. - Expected Result: No output indicating write permissions, or explicit "Access Denied" messages when attempting to write. The sandbox overlay should capture writes, or the ACLs should prevent modification of the underlying host path.
Process Explorer
Visually verify the AppContainer or Low Integrity status of the child processes.
- Run Process Explorer as Administrator on the host.
- Locate the sandboxed application process tree (typically under
turbo-launcher.exeorvm-daemon.exedepending on isolation mode). - Right-click the process > Properties > Security tab.
- Expected Result:
- Integrity Level: Low or Untrusted.
- AppContainer: Present (if AppContainer isolation is enabled).
- Virtualization: Enabled (if applicable).
Evidence Requirements
- Audit entries for denied process access and child process operations, including category, action, and outcome.
Troubleshooting
- Confirm tests target host processes (for example, explorer.exe) from inside the sandbox for expected access denials.
- Ensure child process inheritance tests use a child that attempts the denied capability (network, clipboard, device).
Known Limitations & Negative Space
- Kernel-level memory inspection tools may present varying behaviors; validate with supported toolsets.
- Interactions between EDR and sandbox controls can mask errors; cross-check host logs when results are ambiguous.
