Cool find by @nieldk - if you isolate an asset in MDE (Microsoft Defender), Windows Subsystem for Linux still allows all network traffic (including internally!). So if you're a threat actor, just install WSL, setup SSH or some such and persist access post isolation.

I suspect MS probably need to revisit this one as the attack surface looks rich and unconsidered. E.g. network connections in WSL aren't even logged by Defender.

https://sec1.dk/blog.html