Appearance
Command Prompt
Validate Command Prompt (cmd.exe) behaviors under the Secure Sandbox.
Objectives
- Enforce network controls for command-line tools (curl, ping).
- Verify file system isolation for commands.
- Prevent data exfiltration via clipboard.
Preconditions
- Windows target with Turbo Launcher and Secure Sandbox.
Controls Under Test
runtime.networking.egressDefaultAction.runtime.files.contexts.runtime.dataMotion.rules[].
Test Scenarios
| ID | Canonical ID | Scenario | Procedure | Expected Outcome |
|---|---|---|---|---|
| SCEN-TOOL-CMD-PROMPT-01 | NET-EGRESS-01 | Curl Egress | Run curl http://<IP>. | Blocked per default deny. |
| SCEN-TOOL-CMD-PROMPT-02 | NET-EGRESS-04 | Ping Egress | Run ping <IP>. | Blocked (ICMP often blocked by default or network filter). |
| SCEN-TOOL-CMD-PROMPT-03 | HARD-HOST-03 | Write to System | Run echo test > C:\\Windows\\test.txt. | Access denied or virtualized. |
| SCEN-TOOL-CMD-PROMPT-04 | DM-CLIP-01 | Clipboard Outbound | Select text (Mark); paste to host. | Denied/processed per policy. |
| SCEN-TOOL-CMD-PROMPT-05 | NET-EGRESS-05 | Env Proxy Vars / Flags | set HTTPS_PROXY=http://attacker:8080 then curl https://example.com. | Denied; reason: "unauthorizedProxy", proxyEnforced: true. |
| SCEN-TOOL-CMD-PROMPT-06 | NET-EGRESS-06 | NO_PROXY Bypass | set NO_PROXY=* then curl https://example.com. | Denied; reason: "proxyBypassAttempt", proxyEnforced: true. |
| SCEN-TOOL-CMD-PROMPT-07 | NET-EGRESS-08 | PAC/WPAD Hijack | Set PAC/WPAD to non-designated proxy; curl https://example.com. | Denied/Ignored; `reason: "pacNotTrusted" |
| SCEN-TOOL-CMD-PROMPT-08 | NET-EGRESS-09 | Proxy Fail-Closed | Stop designated proxy or blackhole; curl https://example.com. | Denied; no direct fallback; reason: "proxyUnavailable". |
| SCEN-TOOL-CMD-PROMPT-09 | NET-EGRESS-10 | Proxy Identity/Pinning | Intercept proxy TLS with wrong CA; curl https://example.com. | TLS error/handshake failure; `reason: "certMismatch" |
| SCEN-TOOL-CMD-PROMPT-10 | NET-EGRESS-11 | IPv6 Direct Egress | curl -6 https://[2606:4700:4700::1111]/. | Denied; ipVersion: 6, action: deny. |
| SCEN-TOOL-CMD-PROMPT-11 | NET-EGRESS-12 | CONNECT to Non-Proxy | curl -v -x https://nonproxy.example:443 https://target.example. | Denied; reason: "destNotProxy", proxyEnforced: true. |
| SCEN-TOOL-CMD-PROMPT-12 | HARD-FILESBYPASS-02 | Symlink to UNC admin share | mklink /D C:\\Temp\\SymlinkUNC \\\\localhost\\C$ then echo leak> C:\\Temp\\SymlinkUNC\\Users\\<user>\\Desktop\\leak.txt. | Denied or virtualized; UNC/Device Path smuggling blocked. Audit fileOp deny/virtualize with UNC target. |
Evidence Requirements
networkevents: destination, action,reason,proxyEnforced; includeipVersionfor IPv6 tests.fileOpevents: write attempts.dataMotionevents:channel,actionfor clipboard.
