« Previous 1 2
Attackers, defenders, and Windows Subsystem for Linux
Open House
Threat Hunting in WSL
The use of WSL in an environment generally looks suspicious if it is not one of the usual developer tools. You will want to monitor the environment for command lines containing wsl.exe
and bash.exe
. Additionally, DISM or PowerShell used to enable WSL or virtualization features can indicate unfriendly behavior.
You can mitigate WSL threats with optional feature policies, and you might want to disable virtualization and WSL with the PowerShell cmdlet
Disable-WindowsOptionalFeature
or the DISM utility. You also can hide the enable or disable Windows Features task by setting the NoWindowsFeatures
value in the registry paths to 1
:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Programs HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Programs NoWindowsFeatures 1
Finally, logging and auditing processes with tools such as Endpoint Detection and Response (Figure 3) also reduces potential risks.
Conclusions
The Windows Subsystem for Linux is a useful technology designed to improve productivity by integrating applications and utilities from various distributions into the Windows environment. However, such a large-scale project inevitably affects safety. Because attackers are focusing on WSL in their search for new TTPs, defenders need to establish appropriate protections.
Infos
- WSL architectures: https://docs.microsoft.com/en-us/windows/wsl/compare-versions#whats-new-in-wsl-2
- Pico processes: https://docs.microsoft.com/en-in/archive/blogs/wsl/pico-process-overview
- WSL 2 source code of the Linux kernel: https://github.com/microsoft/WSL2-Linux-Kernel
- Linux GUI apps in WSL: https://docs.microsoft.com/en-us/windows/wsl/tutorials/gui-apps
- Bashware attack on WSL: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/bashware-attack-targets-windows-system-for-linux-wsl
- Custom Linux distributions for WSL: https://docs.microsoft.com/en-us/windows/wsl/build-custom-distro
- Kali in WSL 2: https://www.kali.org/docs/wsl/win-kex/
- Preview of Linux GUI applications: https://docs.microsoft.com/en-us/windows/wsl/tutorials/gui-apps
- Doskey documentation: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/doskey
- OpenSSH: https://docs.microsoft.com/en-us/windows/terminal/tutorials/ssh
- SSH backdoors: https://blogs.juniper.net/en-us/threat-research/linux-servers-hijacked-to-implant-ssh-backdoor
« Previous 1 2
Buy this article as PDF
(incl. VAT)