![]() ![]() To check if your endpoints are vulnerable, you can use osquery or use VMware Carbon Black sensor that includes osquery to have all in one sensor, one console. Using Linux malware running on WSL, malicious actors can take the control of your Windows endpoints. I have submitted this query to our query exchange community website, and Carbon Black experts have approved and improved the query. In my test environment, there’s no WSL enabled. SELECT * FROM windows_optional_features WHERE name = 'Microsoft-Windows-Subsystem-Linux' AND state = 1Īnd a few seconds after, you will see the result: ![]() Using osquery embedded in Carbon Black Sensor, and with a web UI available in Carbon Black web UI, you can query all your endpoints using the table “windows_optional_features”:įigure 3: osquery website, table windows_optional_featuresĪudit and Remediation leverage standard SQL syntax. If you are already protecting all your Windows endpoints and workloads using VMware Carbon Black, and you have enabled the feature “Audit and Remediation” you can answer in a few seconds. So, how can you detect usage of WSL in your organization? Verifying Usage of WSL in your Organization This includes Arkime (formerly Moloch), Suricata, and more. Similar strategies can be used to correlate osquery logs with those from other tools that support Community ID. Linux Virtual Machines can be a more secure alternative to WSL you can run Linux in VMware Workstation for example. Support for Community ID hashing in osquery allows osquery’s endpoint instrumentation to be easily correlated with that of network monitors such as Zeek. To minimize your organizational risk from my security point of view I would recommend restricting WSL access in your organization.įigure2: WSL screenshot with access to Windows filesystem from Linux. On WSL, you can run Ubuntu, Debian… and Kali, a penetration testing distribution! If adversaries can access the Windows File system from the Linux subsystem, we have just opened the door to a larger attack surface than what we already know exists with standard Windows OS’s. This proof of concept is uncovering just how detrimental this can be in production environments. Python scripts can be converted in ELF format on Linux ( ELF: Executable and Linkable Format), so no Windows antivirus that scans Windows executables, exe, DLL. They are using a Python library: ctypes.Ĭtypes is a “foreign function” library for Python, to call Windows APIs and invoke Powershell scripts. Instead of attacking Windows directly, threat actors are able to leverage the capabilities of python running in a Linux hosted in WSL on Windows to run malicious PowerShell commands. Threat researchers from Black Lotus Labs recently discovered a new attack technique. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |