Collection of different things to try when attempting to breakout of a Windows environment such as Citrix, AWS AppStream, CyberArk PSM, etc.

General Tips & Ideas
Keyboard Shortcuts
Restricted CMD Shell
CMD/PowerShell Blocked
Allowed Applications
Checks to Perform After Breaking Out

General Tips & Ideas

Dialogs

Attempt to open Dialog Windows in the application such as Open, Save, New, Import, Export, etc.
When Saving/Exporting, does the file auto open? Is there an Auto Open option.
If the Dialog window is restricted, always right click in the Window and on Files to look for additional options.

Help/About/Guide

Look for Help/About/Guide pages and options in the application to try and launch a Web Browser.

Hyperlinks

Look for hyperlinks in the UI as they may be opened by a browser when clicked.

Sticky Keys

(Shift x5)
Click Ease of Access link.
Control Panel should now be open if it’s allowed.

Magnifier

(Win + +)
Settings Icon
Click Control whether Magnifier starts when I sign in.
Control Panel should now be open if it’s allowed.

Narrator

(Win + Enter).
A small window may open in the bottom left. If so, enlarge it.
Click General.
Click Control whether Narrator starts when I sign in.
Control Panel should now be open if it’s allowed.

Interrupt Startup

Are there any process/setups that can be interrupted (e.g. using CTRL + C) during startup/loading of the session?
Can Task Manager be opened while the session is loading?

Right Click

Right click everywhere in and on the application to find additional options. This can lead to more opportunities to try the above steps.

Keyboard Shortcuts

Various key combinations to press to try and abuse the target application into opening Windows functionality.

Windows Key
Ctrl + Alt + End
Ctrl + Alt + Del
Ctrl + Alt + Ins
Ctrl + Alt + Esc
Win + R
Win + E
Alt + Tab
Print functionality (Ctrl + P).
(Windows + Left/Right/Up/Down) to Move the app.

Restricted CMD Shell

Idea 1:

Open explorer from CMD (if allowed).
Enter CMD in the location bar.
See if new CMD prompt is restricted.

Idea 2:

While in a restricted shell change directory to C:\Windows\System32.
Run cmd.exe.
See if new CMD prompt is restricted.

Idea 3:

Same as Idea 2, but with PowerShell directory.
Run powershell.exe or powershell_ise.exe.

CMD/PowerShell Blocked

Idea 1:

If CMD is blocked, try PowerShell and vice versa.

Idea 2:

Create a bat file that contains cmd.
Run the bat file via Windows Explorer.

Allowed Applications

Are any of the following applications enabled and accessible?

Command Prompt:

C:\Windows\system32\cmd.exe

PowerShell:

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

Internet Explorer:

C:\Program Files\Internet Explorer\iexplore.exe

File Transfer Protocol (FTP):

C:\Windows\system32\ftp.exe

Remote Desktop Connection (RDP):

C:\Windows\system32\mstsc.exe

Explorer:

Desktop Environment - C:\Windows\explorer.exe
File Explorer - C:\Windows\system32\explorer.exe

Services:

C:\Windows\system32\services.msc

Notepad:

C:\Windows\system32\notepad.exe

Control Panel:

C:\Windows\system32\control.exe

Narrator:

C:\Windows\system32\Narrator.exe

Magnify:

C:\Windows\system32\Magnify.exe

Checks to Perform After Breaking Out

Has internet access been restricted?
Is outbound DNS enabled?
If RDP is in use, is Copy-Paste enabled? Can you copy files/payloads to the machine this way?
Are there sensitive files stored on the machine (Documents, Downloads, Pictures, Videos, User Directory, Other Drives, Network Shares, etc).
What privilege is the underlying session running as?
Is the Operating System in use old and/or missing updates?
Can the host communicate with other computers or shares in the network?
Is privilege escalation possible?
If privilege level allows for it, can the LSASS process be dumped?

Breaking out of Windows Environments