Cool find by @nieldk - if you isolate an asset in MDE (Microsoft Defender), Windows Subsystem for Linux still allows all network traffic (including internally!). So if you're a threat actor, just install WSL, setup SSH or some such and persist access post isolation.
I suspect MS probably need to revisit this one as the attack surface looks rich and unconsidered. E.g. network connections in WSL aren't even logged by Defender.
I had a quick look at the Defender/WSL (Windows Subsystem for Linux) thing at lunch.
It's pretty comical, it looks like the WSL team have unfortunately undercut Defender. E.g. you don't even need to port a backdoor to Linux to maintain access on isolation -- you can just run a Windows trojan in Wine (works in WSL) & the network traffic isn't inspected, logged in Advanced Hunting Query or blocked on isolation. Also WSL can access any local or network files. And it ships built into Windows OS.
Attached: 1 image Happy to annonce MS acknowledging my Defender bypass, and a “patch” will be produced ✌️ #shadowbunny. Thanks to @cirriustech for logo ;) which will be added to my blog https://sec1.dk/blog.html this weekend
Kevin Beaumont
シュガ人
BATBUNNY