Kevin BeaumontMar 28, 2023

Cool find by @nieldk - if you isolate an asset in MDE (Microsoft Defender), Windows Subsystem for Linux still allows all network traffic (including internally!). So if you're a threat actor, just install WSL, setup SSH or some such and persist access post isolation.

I suspect MS probably need to revisit this one as the attack surface looks rich and unconsidered. E.g. network connections in WSL aren't even logged by Defender.

https://sec1.dk/blog.html

Sec1 Security blog

Show threadDaniel Fisher (lennybacon)

@GossiTheDog @nieldk As far as I know “this independence” from the hostOS ist by design. It changed from WSL1 to WSL2.

IMHO that (isolation from host) makes sense and so on the hostOS the Socks connection should be logged/blocked.

Mar 28, 2023 at 9:25amWeb