Photo by Alistair MacRobert on Unsplash

Photo by Alistair MacRobert on Unsplash

Attackers, defenders, and Windows Subsystem for Linux

Open House

Article from ADMIN 72/2022
Several tactics, techniques, and procedures circulating among cybercriminals exploit Windows Subsystem for Linux as a gateway. We look at how WSL can be misused and some appropriate protections.

As a compatibility layer, the Windows Subsystem for Linux (WSL) allows Linux binaries to run directly on Windows without any modifications. Users can call processes in Linux from Windows and vice versa with WSL, accessing files on both operating systems, sharing environment variables, and linking different commands.

Two WSL versions [1] have significantly different architectures: WSL  1 makes use of a translation layer that implements Linux system calls on top of the Windows kernel and can be achieved on minimal Pico processes and providers (lxss.sys and lxcore.sys) managed by a kernel mode driver. On its WSL blog, Microsoft provides more details on the role and history of the Pico processes [2]. In WSL  2, on the other hand, the source code of the Linux kernel is executed in a virtual machine, sized dynamically by Windows depending on the utilization level [3].

WSL is still in its early stages, but Microsoft is actively developing the project and adding additional features, such as GUI support for a fully integrated desktop experience [4]. The stated goal of WSL is to enable users to use their favorite Linux tools on Windows. However, WSL can also be misused for attacks. To do so, cybercriminals resort to various tactics, techniques, and procedures (TTPs).

TTP 1: Tools

Attackers bypass the requirement to enter a sudo password by passing the -u root argument to wsl.exe, making it far easier to download and deploy arbitrary tools to run or create payloads. Cybercriminals also can add repositories of hacking distributions to deploy tools with a package installer.

In a simple example of this technique, I

Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.