Cool find by @nieldk - if you isolate an asset in MDE (Microsoft Defender), Windows Subsystem for Linux still allows all network traffic (including internally!). So if you're a threat actor, just install WSL, setup SSH or some such and persist access post isolation.
I suspect MS probably need to revisit this one as the attack surface looks rich and unconsidered. E.g. network connections in WSL aren't even logged by Defender.
I had a quick look at the Defender/WSL (Windows Subsystem for Linux) thing at lunch.
It's pretty comical, it looks like the WSL team have unfortunately undercut Defender. E.g. you don't even need to port a backdoor to Linux to maintain access on isolation -- you can just run a Windows trojan in Wine (works in WSL) & the network traffic isn't inspected, logged in Advanced Hunting Query or blocked on isolation. Also WSL can access any local or network files. And it ships built into Windows OS.
Attached: 1 image Happy to annonce MS acknowledging my Defender bypass, and a “patch” will be produced ✌️ #shadowbunny. Thanks to @cirriustech for logo ;) which will be added to my blog https://sec1.dk/blog.html this weekend
The #ShadowBunny vulnerability in MDE persists over 6 months later - if you contain an endpoint in MDE, Windows Subsystem for Linux apps can all still access the internet.
So if you’re a threat actor, enable WSL from control panel and SSH back to yourself - if the org detects you, your access persists. It also allows internal network access, too.
https://infosec.exchange/@nieldk/111241070277583473
7 months ago I reported #shadowbunny-as-a-service to MSRC, one month ago they “hope to have an answer in a few days” lol
As an update to the #ShadowBunny thread - WSL is now being abused by a ransomware threat actor.
WSL opens up a whole attack surface on Windows. The Defender EDR integration is crap, and an optional bolt on.. and other EDR providers have basically no visibility. It’s a mess.
@GossiTheDog Do you have any idea if this is different than enabling hyper-v and running malware from a small VM? Does WSL give more access than mounting C:/ in a VM? Or is visibility worse than from VMs?
I don’t know exactly how WSL works but in my head it’s just tighter integration with a light Linux VM.
@FarmerDenzel @GossiTheDog WSL has a LOT more attack surface. Imagine running a Linux VM on Windows, except you have all the attack surface of Windows plus the Linux VM. If one gets compromised, consider both compromised.
You can even execute WinPEs from within WSL. And the reverse, sending commands to the LinuxVM works as well, using WSL.exe to pass commands directly in.
Not terribly difficult to detect unauthorized use of WSL, but as Kevin says, don’t depend on the Defender EDR plugin. It only supports the default Ubuntu, and doesn’t even show up in Defender dashboard unless it is used for at least 30 minutes.
There is a new release for the Windows Subsystem for Linux (WSL) with new features and bug fixes! Check out the summary below, and read on to learn more about new experimental features, and some significant quality improvements. Experimental features We know that WSL is used for a wide array of workflows and we want to help you get the best performance and quality experience from these workflows.
@GossiTheDog I told 2+ years ago to some red teamer friends that WSL is a gold mine for this exact reason.
Security still depends on Imagination.
@GossiTheDog obligatory stupid question: is this the same behavior in WSL 1 and 2?
I would expect this behavior in WSL 2, due to it having a full Linux kernel - lots of things get hidden from Windows. Whereas since WSL 1 is emulation, lots more is visible, because it’s *technically* just Windows executables.
WSL 1 stores its “file system” in a regular folder.
WSL2 uses an ext4 partition in a separate VHDX virtual drive.
I think that might make a difference.
@GossiTheDog That was the first thing I noticed a while back when WSL2 launched. Running nmap as a Windows executable would trigger a port scanning alert from the client, but running nmap under a Linux distro with WSL2 didn’t and Defender didn’t log any of the traffic.
Always seemed like a bit of an oversight.
Kevin Beaumont
Bernard Quatermass
Denzel
Adrian Sanabria
Cory Carson
NosirrahSec 🏴☠️ guillotine enthusiast
Brian Clark
faebudo
シュガ人
BATBUNNY
waldi
Jack Coates 🐀
Sass, David
Fritz Adalis
Tindra
avi
blami
Alex T Newman
Jae 🐧 🎮
Smalls