ath0#hack100days : day 80 : Fell off the wagon for a couple of days. Then a post (https://cyberplace.social/@GossiTheDog/110100144318003862) from @GossiTheDog crossed my feeds. #ThreatHuntThursday is on. Did some digging in Defender ATH and it looks like some linux commands get logged in Defender--I searched for sudo. The install will show up as a wsl.exe command with the image passed as a parameter. So, it looks like there are some detective controls available if you weren't expecting the user population to be utilizing WSL. Gonna poke at it some more tomorrow.
Kevin Beaumont (@[email protected])
Cool find by @[email protected] - if you isolate an asset in MDE (Microsoft Defender), Windows Subsystem for Linux still allows all network traffic (including internally!). So if you're a threat actor, just install WSL, setup SSH or some such and persist access post isolation. I suspect MS probably need to revisit this one as the attack surface looks rich and unconsidered. E.g. network connections in WSL aren't even logged by Defender. https://sec1.dk/blog.html
#hack100days : day 55 : Completed three more #CRTO sections, maybe about a 1/3 of the way through--so far, mostly review. Added another item to the #ThreatHuntThursday list. #redteam #GetSmart
#hack100days : day 54 : Completed credential theft section for #CRTO, got some good ideas for #ThreatHuntThursday for log events and access patterns I hadn't though of before. #redteam #GetSmart