Locked-Down Device
Breakout Assessment
Security testing of any restricted-access environment — kiosks, self-service terminals, managed laptops, VDI sessions, Citrix desktops, and ATMs — identifying application escapes, OS-level breakouts, and network pivoting paths available to untrusted or semi-trusted users.
Any environment that restricts a user to a reduced interface — while running on a full operating system connected to your network — presents the same fundamental security challenge: a motivated user or attacker will attempt to break out of that restricted context and reach the underlying OS, credentials, or internal systems. This applies equally to public-facing kiosks, ATMs and payment terminals, managed corporate laptops, VDI and Citrix sessions, thin clients, and any other locked-down endpoint.
Levantis Cyber performs dedicated breakout assessments that test the full chain from the application layer down to the OS and network — regardless of the device type. We simulate what a motivated user with access to the device could achieve, applying techniques that span keyboard shortcut abuse, application-layer escapes, policy bypass, OS-level privilege escalation, and lateral movement into internal infrastructure.
Our assessments are scoped to your environment: a single kiosk type, a fleet of managed laptops, a Citrix published desktop, a VDI pool, or a combination. We test both logical controls and, where applicable, physical security — providing a complete picture of what is achievable from the device.
Physical & Environmental Review
Inspection of the physical environment and device — including port accessibility (USB, PS/2, Ethernet, HDMI), case tamper resistance, BIOS / UEFI access controls, boot order configuration, secure boot status, and the opportunity for device substitution or hardware implant. Physical access controls such as camera placement and staff supervision are noted as context for threat modelling.
Application-Layer Escape Testing
Systematic testing of the restricted application interface for escape paths — including keyboard shortcut abuse (Windows key, Alt+Tab, Alt+F4, Ctrl+Esc, Task Manager shortcuts), drag-and-drop file dialogs, print dialog exploitation, context menu abuse, URL bar manipulation in browser-based environments, and HTML injection within embedded web content. In VDI and Citrix sessions, additional focus is placed on session-layer escapes, clipboard abuse, drive mapping, and published application boundary violations. Any path that surfaces a native OS component is pursued.
OS Restrictions & AppLocker Assessment
Evaluation of OS-level restriction policies — including Windows Assigned Access configuration, AppLocker and Software Restriction Policy rules, Group Policy hardening, and the effectiveness of shell replacement. We test for policy bypass techniques including trusted application abuse, DLL hijacking via whitelisted paths, script interpreter abuse (mshta, wscript, cscript, rundll32), and trusted binary living-off-the-land execution.
Filesystem & Registry Access Testing
Assessment of filesystem permissions — identifying writable locations that allow code execution, readable locations that expose credentials or sensitive configuration, and registry keys accessible to the restricted user that can be abused for persistence or privilege escalation. Credential storage in configuration files, registry, credential manager, and cached domain credentials is reviewed. On managed endpoints, MDM policy scope and gaps in configuration profiles are assessed.
Privilege Escalation Assessment
From any foothold obtained within the OS, we assess privilege escalation paths to local administrator — including service misconfigurations, unquoted service paths, DLL hijacking, token impersonation, and vulnerable third-party software. We determine whether a local privilege escalation yields domain credentials or direct access to backend systems.
Network Access & Lateral Movement
Assessment of the network posture from the perspective of the kiosk device — including network segment placement, firewall rules, accessible services on the internal network, and the potential to reach sensitive backend systems or domain controllers. We assess whether the kiosk network access is appropriately restricted relative to the trust level of users accessing the device.
Reporting & Hardening Guidance
A detailed technical report covering all escape paths and vulnerabilities identified, with step-by-step reproduction evidence, attack chain diagrams, and specific remediation guidance for each finding. Platform-specific hardening recommendations are provided — including Group Policy configuration, AppLocker rule design, and physical security controls. Includes debrief call and retest of critical findings.
Restricted-access environments exist across almost every organisation — public kiosks in bank branches, retail outlets, and transport hubs; managed laptops issued to contractors or temporary staff; VDI and Citrix desktops used to control access to sensitive applications; thin clients in call centres and shared workspaces. The common thread is that each device is deliberately constrained, and that constraint is trusted to act as a security boundary.
That boundary is rarely as strong as assumed. Application-layer escapes, policy misconfigurations, and OS-level privilege escalation paths are consistently identified in environments that have passed standard build reviews and vulnerability scans — because those approaches do not simulate an adversary who is actively trying to break out. Dedicated breakout testing closes that gap.
Whether your concern is a member of the public gaining internal network access from a kiosk, a contractor pivoting beyond their VDI session, or a terminated employee breaking out of a restricted laptop build — a targeted assessment provides the evidence and remediation guidance needed to address the risk.