![]() To check if your endpoints are vulnerable, you can use osquery or use VMware Carbon Black sensor that includes osquery to have all in one sensor, one console. Using Linux malware running on WSL, malicious actors can take the control of your Windows endpoints. I have submitted this query to our query exchange community website, and Carbon Black experts have approved and improved the query. In my test environment, there’s no WSL enabled. SELECT * FROM windows_optional_features WHERE name = 'Microsoft-Windows-Subsystem-Linux' AND state = 1Īnd a few seconds after, you will see the result: Using osquery embedded in Carbon Black Sensor, and with a web UI available in Carbon Black web UI, you can query all your endpoints using the table “windows_optional_features”:įigure 3: osquery website, table windows_optional_featuresĪudit and Remediation leverage standard SQL syntax. If you are already protecting all your Windows endpoints and workloads using VMware Carbon Black, and you have enabled the feature “Audit and Remediation” you can answer in a few seconds. So, how can you detect usage of WSL in your organization? Whether your goal is intrusion detection, infrastructure reliability, or compliance, OSquery gives you the ability to empower and inform a broad set of organizations within your company. OSquery allows you to easily ask questions about your Linux, Windows, and macOS infrastructure. Verifying Usage of WSL in your Organization In this post I am going to explore the tool OSquery. Linux Virtual Machines can be a more secure alternative to WSL you can run Linux in VMware Workstation for example. To minimize your organizational risk from my security point of view I would recommend restricting WSL access in your organization.įigure2: WSL screenshot with access to Windows filesystem from Linux. On WSL, you can run Ubuntu, Debian… and Kali, a penetration testing distribution! If adversaries can access the Windows File system from the Linux subsystem, we have just opened the door to a larger attack surface than what we already know exists with standard Windows OS’s. ![]() This allows you to write SQL queries to explore operating system data. Osquery exposes an operating system as a high-performance relational database. The tools make low-level operating system analytics and monitoring both performant and intuitive. This proof of concept is uncovering just how detrimental this can be in production environments. Osquery is an operating system instrumentation framework for Windows, OS X (macOS), Linux, and FreeBSD. Python scripts can be converted in ELF format on Linux ( ELF: Executable and Linkable Format), so no Windows antivirus that scans Windows executables, exe, DLL. They are using a Python library: ctypes.Ĭtypes is a “foreign function” library for Python, to call Windows APIs and invoke Powershell scripts. Instead of attacking Windows directly, threat actors are able to leverage the capabilities of python running in a Linux hosted in WSL on Windows to run malicious PowerShell commands. Threat researchers from Black Lotus Labs recently discovered a new attack technique.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |