Skip to content

Command Prompt

Validate Command Prompt (cmd.exe) behaviors under the Secure Sandbox.

Objectives

  • Enforce network controls for command-line tools (curl, ping).
  • Verify file system isolation for commands.
  • Prevent data exfiltration via clipboard.

Preconditions

  • Windows target with Turbo Launcher and Secure Sandbox.

Controls Under Test

  • runtime.networking.egressDefaultAction.
  • runtime.files.contexts.
  • runtime.dataMotion.rules[].

Test Scenarios

IDCanonical IDScenarioProcedureExpected Outcome
SCEN-TOOL-CMD-PROMPT-01NET-EGRESS-01Curl EgressRun curl http://<IP>.Blocked per default deny.
SCEN-TOOL-CMD-PROMPT-02NET-EGRESS-04Ping EgressRun ping <IP>.Blocked (ICMP often blocked by default or network filter).
SCEN-TOOL-CMD-PROMPT-03HARD-HOST-03Write to SystemRun echo test > C:\\Windows\\test.txt.Access denied or virtualized.
SCEN-TOOL-CMD-PROMPT-04DM-CLIP-01Clipboard OutboundSelect text (Mark); paste to host.Denied/processed per policy.
SCEN-TOOL-CMD-PROMPT-05NET-EGRESS-05Env Proxy Vars / Flagsset HTTPS_PROXY=http://attacker:8080 then curl https://example.com.Denied; reason: "unauthorizedProxy", proxyEnforced: true.
SCEN-TOOL-CMD-PROMPT-06NET-EGRESS-06NO_PROXY Bypassset NO_PROXY=* then curl https://example.com.Denied; reason: "proxyBypassAttempt", proxyEnforced: true.
SCEN-TOOL-CMD-PROMPT-07NET-EGRESS-08PAC/WPAD HijackSet PAC/WPAD to non-designated proxy; curl https://example.com.Denied/Ignored; `reason: "pacNotTrusted"
SCEN-TOOL-CMD-PROMPT-08NET-EGRESS-09Proxy Fail-ClosedStop designated proxy or blackhole; curl https://example.com.Denied; no direct fallback; reason: "proxyUnavailable".
SCEN-TOOL-CMD-PROMPT-09NET-EGRESS-10Proxy Identity/PinningIntercept proxy TLS with wrong CA; curl https://example.com.TLS error/handshake failure; `reason: "certMismatch"
SCEN-TOOL-CMD-PROMPT-10NET-EGRESS-11IPv6 Direct Egresscurl -6 https://[2606:4700:4700::1111]/.Denied; ipVersion: 6, action: deny.
SCEN-TOOL-CMD-PROMPT-11NET-EGRESS-12CONNECT to Non-Proxycurl -v -x https://nonproxy.example:443 https://target.example.Denied; reason: "destNotProxy", proxyEnforced: true.
SCEN-TOOL-CMD-PROMPT-12HARD-FILESBYPASS-02Symlink to UNC admin sharemklink /D C:\\Temp\\SymlinkUNC \\\\localhost\\C$ then echo leak> C:\\Temp\\SymlinkUNC\\Users\\<user>\\Desktop\\leak.txt.Denied or virtualized; UNC/Device Path smuggling blocked. Audit fileOp deny/virtualize with UNC target.

Evidence Requirements

  • network events: destination, action, reason, proxyEnforced; include ipVersion for IPv6 tests.
  • fileOp events: write attempts.
  • dataMotion events: channel, action for clipboard.