Kevin BeaumontMar 28, 2023

Cool find by @nieldk - if you isolate an asset in MDE (Microsoft Defender), Windows Subsystem for Linux still allows all network traffic (including internally!). So if you're a threat actor, just install WSL, setup SSH or some such and persist access post isolation.

I suspect MS probably need to revisit this one as the attack surface looks rich and unconsidered. E.g. network connections in WSL aren't even logged by Defender.

https://sec1.dk/blog.html

Sec1 Security blog

Show threadwaldi

@GossiTheDog

The system will also be able to communicate to the outside with DHCP, ARP, ND and other ICMP. Sure, those usually travel far less.

And now I wonder what this action does in a DNS64/NAT64 environment. It still allows the Defender API and, on request, other Microsoft tools to be reachable. Or are they trying to do restrict that by application?

@nieldk

Mar 28, 2023 at 9:39amWeb