Investigating WSL Endpoints

This document discusses investigating Windows Subsystem for Linux (WSL) endpoints from a digital forensics and incident response perspective. It describes what WSL 2 is and the implications for forensic analysts, then details several experiments conducted during a forensic examination of a WSL endpoint, including establishing persistence using Bashrc and systemd, executing reverse shells and downloading files, and lateral movement of files.

Uploaded by

MindSmith

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

25 views66 pages

Investigating WSL Endpoints

Uploaded by

MindSmith

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 66

Investigating WSL Endpoints

Asif Matadar
@d1r4c

OSDFCon 2020
#whoami

• Director of Endpoint Detection & Response (EDR) at Tanium

• Seasoned Incident Response professional with over a decade working in InfoSec and
specifically leading high-profile cases around the world, such as advanced targeted attacks,
nation-state attacks, and data breaches, to name a few

• Public speaker at industry recognised conferences around the world:

• DFRWS USA 2020

• WSLConf (U.S.) 2020
• OSDFCon (U.S.) 2019
• OSDFCon (U.S.) 2018
• IMF (Germany) 2018
• OSDFCon (U.S.) 2017
• BSidesNOLA (U.S.) 2017
• BSidesMCR (U.K.) 2015

• Research focus on memory analysis and automation, *nix-based forensics, cloud forensics,
and triage analysis

©2017 Tanium. All rights reserved. 2

Investigating WSL Endpoints

• Since the announcement of the Windows Subsystem for Linux (WSL) back in 2016, there has been
a lot of excitement to try and leverage WSL across workstations and servers a like by organisations
and those that work in the industry.

• What does that mean for someone who works as a Digital Forensics & Incident Response
professional?
• Well adversaries and malware authors have already started focussing their attention on WSL;
therefore, it is important to understand the underlying architecture changes that will allow one
to investigate a compromised Windows 10 or Windows Server 2019 in the not too distant
future.

• This talk will highlight the nuances to be aware of from a Digital Forensics & Incident Response
perspective and illustrate forensic artefacts of interest, which will consist of a forensic examination
on a WSL Endpoint to provide the audience an appreciation of what that entails and share insights
that will assist them when the time arises.

©2017 Tanium. All rights reserved. 3

Agenda

• What is WSL 2?

• What does that mean for Digital Forensics & Incident Response professionals?

• Forensic examination on a WSL Endpoint

• 11 experiments

©2017 Tanium. All rights reserved. 4

What is WSL2?
What is WSL 2?

• Full System Call Compatibility

• WSL 2 has its own customised kernel specifically for WSL 2
• Docker

• WSL 1 had a translation layer to interpret the system calls, that allows them to
work on the Windows NT kernel

• Faster than WSL 1

• Raw sockets

©2017 Tanium. All rights reserved. 6

What is WSL 2?

• New architecture for Windows Subsystem for Linux

• Developed in-house kernel from stable branch at kernel.org source from version 4.19 kernel

• Customised kernel specifically for WSL 2

• As it’s developed by Microsoft, updates to the kernel will be serviced by Windows Update

• Lightweight Utility VM
• Hyper-V hypervisor

©2017 Tanium. All rights reserved. 7

What does that mean for Digital
Forensics & Incident Response
professionals?
What does that mean for Digital Forensics & Incident Response
professionals?

• Full System Call Compatibility

• Lightweight Utility VM
• Hyper-V hypervisor
• Not a traditional Virtual Machine
• EXT4 Virtual Disk
• C:\Users\User\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindow
s_79rhkp1fndgsc\LocalState\ext4.vhdx

• Management of WSL
• wsl.exe (WSL 2)
• wslconfig (WSL 1)