Cool find by @nieldk - if you isolate an asset in MDE (Microsoft Defender), Windows Subsystem for Linux still allows all network traffic (including internally!). So if you're a threat actor, just install WSL, setup SSH or some such and persist access post isolation.
I suspect MS probably need to revisit this one as the attack surface looks rich and unconsidered. E.g. network connections in WSL aren't even logged by Defender.
I had a quick look at the Defender/WSL (Windows Subsystem for Linux) thing at lunch.
It's pretty comical, it looks like the WSL team have unfortunately undercut Defender. E.g. you don't even need to port a backdoor to Linux to maintain access on isolation -- you can just run a Windows trojan in Wine (works in WSL) & the network traffic isn't inspected, logged in Advanced Hunting Query or blocked on isolation. Also WSL can access any local or network files. And it ships built into Windows OS.
Attached: 1 image Happy to annonce MS acknowledging my Defender bypass, and a “patch” will be produced ✌️ #shadowbunny. Thanks to @cirriustech for logo ;) which will be added to my blog https://sec1.dk/blog.html this weekend
The #ShadowBunny vulnerability in MDE persists over 6 months later - if you contain an endpoint in MDE, Windows Subsystem for Linux apps can all still access the internet.
So if you’re a threat actor, enable WSL from control panel and SSH back to yourself - if the org detects you, your access persists. It also allows internal network access, too.
https://infosec.exchange/@nieldk/111241070277583473
7 months ago I reported #shadowbunny-as-a-service to MSRC, one month ago they “hope to have an answer in a few days” lol
As an update to the #ShadowBunny thread - WSL is now being abused by a ransomware threat actor.
WSL opens up a whole attack surface on Windows. The Defender EDR integration is crap, and an optional bolt on.. and other EDR providers have basically no visibility. It’s a mess.
Kevin Beaumont
Cory Carson