Photo by Alistair MacRobert on Unsplash
Attackers, defenders, and Windows Subsystem for Linux
Open House
As a compatibility layer, the Windows Subsystem for Linux (WSL) allows Linux binaries to run directly on Windows without any modifications. Users can call processes in Linux from Windows and vice versa with WSL, accessing files on both operating systems, sharing environment variables, and linking different commands.
Two WSL versions [1] have significantly different architectures: WSL 1 makes use of a translation layer that implements Linux system calls on top of the Windows kernel and can be achieved on minimal Pico processes and providers (lxss.sys and lxcore.sys) managed by a kernel mode driver. On its WSL blog, Microsoft provides more details on the role and history of the Pico processes [2]. In WSL 2, on the other hand, the source code of the Linux kernel is executed in a virtual machine, sized dynamically by Windows depending on the utilization level [3].
WSL is still in its early stages, but Microsoft is actively developing the project and adding additional features, such as GUI support for a fully integrated desktop experience [4]. The stated goal of WSL is to enable users to use their favorite Linux tools on Windows. However, WSL can also be misused for attacks. To do so, cybercriminals resort to various tactics, techniques, and procedures (TTPs).
TTP 1: Tools
Attackers bypass the requirement to enter a sudo password by passing the -u root argument to wsl.exe, making it far easier to download and deploy arbitrary tools to run or create payloads. Cybercriminals also can add repositories of hacking distributions to deploy tools with a package installer.
In a simple example of this technique, I
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Reducing the Attack Surface in Windows
The sum total of all possible points of attack can be defined as the attack surface, and you need to take every opportunity to minimize it to the extent possible. Windows has built-in rules that minimize the attack surface; they simply need to be enabled. -
Stressing security with PowerShell
PowerShell is not the usual go-to tool for pentesting, but it can reveal IT vulnerabilities that suggest a more considered use of the tool. -
Reducing the Windows 10 attack surface
Windows attack surface reduction policies make significant progress in protecting your entire IT infrastructure. - New Ransomware Infects by Using MS Word Macros
-
Endpoint Security for Windows 10
Windows 10, build 21H1, has numerous protection mechanisms out of the box. We look at the option for delaying updates, the components and features of Microsoft Defender, and recommendations for hardening the operating system.