cd ../$RANDOM

Abusing WSL for Evasion

1 minute read

WSL enables native Linux ELF64 binaries to run on Windows via the Windows Subsystem for Linux (WSL).


From attackers point of view, it’s promising, since 1809 (Windows 10 October 2018 Update) it’s possible to install WSL distros from the Command Line.

It means that an attacker can enable WSL and install a Linux distro and execute malicious ELF files in background.

P.S. C: drive is mounted on /mnt/c

Self-documented POC:

The first Powershell script (start.ps1) enables WSL and downloads Ubuntu1804 package, also registers the task to execute the second script (resume.ps1), which installs Ubuntu distro and executes the ELF file (encryptDOCX), all of this happens without any interaction from a user, in background.

I think it’s much harder to detect/analyze malicous ELF executable on Windows.



Contact: @_qaz_qaz