Attackers, defenders, and Windows Subsystem for Linux

Open House

Threat Hunting in WSL

The use of WSL in an environment generally looks suspicious if it is not one of the usual developer tools. You will want to monitor the environment for command lines containing wsl.exe and bash.exe. Additionally, DISM or PowerShell used to enable WSL or virtualization features can indicate unfriendly behavior.

You can mitigate WSL threats with optional feature policies, and you might want to disable virtualization and WSL with the PowerShell cmdlet

Disable-WindowsOptionalFeature

or the DISM utility. You also can hide the enable or disable Windows Features task by setting the NoWindowsFeatures value in the registry paths to 1:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Programs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Programs
NoWindowsFeatures 1

Finally, logging and auditing processes with tools such as Endpoint Detection and Response (Figure 3) also reduces potential risks.

Figure 3: Endpoint Detection and Response (EDR) can help mitigate the threat of WSL vulnerabilities.

Conclusions

The Windows Subsystem for Linux is a useful technology designed to improve productivity by integrating applications and utilities from various distributions into the Windows environment. However, such a large-scale project inevitably affects safety. Because attackers are focusing on WSL in their search for new TTPs, defenders need to establish appropriate protections.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus