« Previous 1 2
Attackers, defenders, and Windows Subsystem for Linux
Open House
Threat Hunting in WSL
The use of WSL in an environment generally looks suspicious if it is not one of the usual developer tools. You will want to monitor the environment for command lines containing wsl.exe and bash.exe. Additionally, DISM or PowerShell used to enable WSL or virtualization features can indicate unfriendly behavior.
You can mitigate WSL threats with optional feature policies, and you might want to disable virtualization and WSL with the PowerShell cmdlet
Disable-WindowsOptionalFeature
or the DISM utility. You also can hide the enable or disable Windows Features task by setting the NoWindowsFeatures value in the registry paths to 1:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Programs HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Programs NoWindowsFeatures 1
Finally, logging and auditing processes with tools such as Endpoint Detection and Response (Figure 3) also reduces potential risks.
Figure 3: Endpoint Detection and Response (EDR) can help mitigate the threat of WSL vulnerabilities.
Conclusions
The Windows Subsystem for Linux is a useful technology designed to improve productivity by integrating applications and utilities from various distributions into the Windows environment. However, such a large-scale project inevitably affects safety. Because attackers are focusing on WSL in their search for new TTPs, defenders need to establish appropriate protections.
Infos
- WSL architectures: https://docs.microsoft.com/en-us/windows/wsl/compare-versions#whats-new-in-wsl-2
- Pico processes: https://docs.microsoft.com/en-in/archive/blogs/wsl/pico-process-overview
- WSL 2 source code of the Linux kernel: https://github.com/microsoft/WSL2-Linux-Kernel
- Linux GUI apps in WSL: https://docs.microsoft.com/en-us/windows/wsl/tutorials/gui-apps
- Bashware attack on WSL: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/bashware-attack-targets-windows-system-for-linux-wsl
- Custom Linux distributions for WSL: https://docs.microsoft.com/en-us/windows/wsl/build-custom-distro
- Kali in WSL 2: https://www.kali.org/docs/wsl/win-kex/
- Preview of Linux GUI applications: https://docs.microsoft.com/en-us/windows/wsl/tutorials/gui-apps
- Doskey documentation: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/doskey
- OpenSSH: https://docs.microsoft.com/en-us/windows/terminal/tutorials/ssh
- SSH backdoors: https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor
« Previous 1 2
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Stressing security with PowerShell
PowerShell is not the usual go-to tool for pentesting, but it can reveal IT vulnerabilities that suggest a more considered use of the tool. -
Cyber security for the weakest link
The balance between IT threats and IT security is woefully unbalanced in a Windows environment, requiring the enforcement of company-wide security standards. -
Slipping your pen test past antivirus protection with Veil-Evasion
The Veil pen-testing platform provides some powerful tools that will hide your attack from antivirus scanners – and Veil even supports Metasploit payloads. -
Use PowerShell to manage Exchange Online
Exchange Online in Office 365 can be managed just like its local counterpart with similar, sometimes identical, PowerShell cmdlets. - New Ransomware Infects by Using MS Word Macros