Your Friendly Penguin: Using Linux And WSL To Stay Under The Radar

thank you for coming for our talk this talk will be two presentations probably not enough to have like the research itself is not enough for full 45 minutes so we combine forces and made it into one presentation we're going to talk about WSL and I'm going to talk about stay rather when using Linux a compromising Linux host so few quick three quick things first of all for my talk there won't be any code it's just stuff I learned and English is not my first language so sorry I'm nervous I'm going to speak quickly and I hope you understand at all so a quick one about me uh senior right teer in ment I'll been to the industry seven

years quite big on Twitter I like Twitter Twitter addict I've been to the military for 3 years so is Max and no I wasn't 8200 um I didn't do a unit degree so I hope I can inspire people not done unit degrees and want to get into the field and a jack of all trades uh I'm not specialized in M development or anything else uh I like to do everything I like to know everything so if you want to speak about red teing or anything security I would like to speak to you as well so let Max all so um max I'm also on the M te mandant red team um part of Google Cloud

now um I spent about five years in security and then one and a half of those with Mandan um I do have some previous experience in security sort of physical and Technical public and private sector as well um and my job role is is red teaming purple teaming same as as Edan um that's it may ready yeah you'll see on on this talk we're part of ap66 it's the ment code name for red teaming in Europe so Europe only specialize in red team that's that's mostly what we do we barely do any pests um so let crack on so this uh talk is going to be about one of my uh jobs I've done where

a client asked me can you come in and do a purple team on a lus host so most of our job obviously is interacting Windows host we have malare multiple MERS for Windows host but we came to Linux was like what do you use because a lot of time we just proxy our stuff into host a jump host and do our thing but we don't drop a C2 so that's my what I learned during this engagement and hoping to explain to you well you'll learn more stuff about what you can do with Linux s so the first thing to say every time someone reer says less compromise Linux host they like that EDR on Linux doesn't do anything and that's

what I thought but going to be a bit of surprise there so let's see what I've learned during the talk during the engagement let's start with the basic what was the goal of the engagement it was a purple team it uh the client asked us to um provid us VPN into a network environment it was the contract as a contractor fvp into the environment it was AUM Bridge there's no fishing or anything we just start directly for uh access to the host itself they provides with two Linux hosts both of them had different edrs I can't say names but you might see some hints during the presentation and we had two weeks of testing it's worth noting that those

operation systems were quite old a running um Kel 3.10 which is from 2013 so a lot of mod stuff more protections or mod a techniques don't really work in those old OS um so let's start um if thinking about dropping a C2 a commanding control into a l host probably your first thoughts are Mythic or SL um we because it's a purple team we can use our internal ment uh command controls because it's proprietary and obviously cover stock stuff like that are only Windows based so we can use it so let's my first question I guess how many of you know Mythic can you raise your hand do you know Mythic it's a multi-agent uh it's like the back end is

already ready but only write agents to it or use one of the already made agents SL is also quite well known by Bishop Fox a fullon written in go it's cross compile because it's go so these are also options see things I had to consider before the engagements are cross compil so like go can compile to multiple different operation systems or native is obviously if you write C it will be for Windows or bash for Linux so stuff to consider and obviously above all has to be encrypted has to be safe we don't want to transmit sensitive data from a client to us has to all be encrypted um so I guess my first question to be to

you no second which one do you think I used would I go with Mythic or I go with slver let's raise hands for Mythic quite a few slver okay I think SL had a bit more hands so yes you're right so to go with SL it's well known well abused by AP actors um there a lot of re feature reach so supports htps supports mtls wire guard hequ multiple different operation multiple ways to transmit that back to us it also support long pulling compared to parodically checks difference are the long pullings we do HP connections and keep them alive while a peric checks does check every so often so interval it Ed gar forication by n l so

it taks a lot of our a lot of our stuff and on the left you can see a page from ment uh Advantage it's the Fred Intel website the M use you can see the Fret actors they are using it and information about it so let's C on let's game day let's put silver into the action so first thing we do is uh obviously try to generate a payload and generate normal payload elf whatever with Das e does evasion a dashb just to tell you what side to communicate to and then output that is a EF which you can see by default it weighs um 50 megab a quite big payload itself without any modification to

it and I've not done any other other modification to it I just see if out of the box does it work it doesn't work so I'll quick reminder we have two operation systems two different antivirus so who how many of you think that the this payload will bypass one or two uh antivirus so de let's first question is De bypass anything raise your hand no okay okay bypass one antivirus one EDR okay bypass both edrs okay so quite a a lot of hands so first one didn't bypass any of them both uh the both vrs caught these payloads and I was didn't get any Beacon back let's start to modify things see if it works now or not so this time

exporting doing the same thing exporting file using the evasion but this time uh the output needs to be a shared Library Soo file which is equivalent of dll Windows environments so think about exporting a d we have to call it but it's fine and that's it the sh Library itself is 17 megab and I've done not done any other modifications to it how many of you think it in this bypass one of DSes EDS few your hands who think this bypass boths okay quite more so it didn't it didn't bypass one of the edrs but it did bypass one of the other edrs so or win we got half of our operations we got be

half of our operation systems but we still need to bypass the other one and get a sh get a shell big it I'm going to come back a bit later about if you see the end there it says DH Dash Lo the I'm going to speak about that part in a second so next we going to try raising the bar this time let's packet packet is make modification compress it or remove stuff we don't need of the binary and we'll still keep it alive so use upx again quite wellknown Packer abused by many afd groups is from so sh library thato from 70 megab went into 9.8 so fur down quite good if you look at upx I I used the

dash n there it just means compress it better rather than faster it goes from 0 to 9 so we are still trying to bypass one of the edrs who think that was enough to bypass one ofrs no think okay so even with that upx it didn't bypass one of the ddrs it's a good ADR apparently Linux host edrs did are getting quite good it's quite well known EDR itself so again raising the raising the level try to make modification try make it better this time obviously SL use gation by default but this time we're going to use GTFO which is the Linux vilant of lbas if you know lbas itself is the it's the using common tools to execute your

payload that already on the host it's just other ways to execute your payload so gdo is the Linux version of it a finding way to execute share libraries load a library we can use this python which work with 2.7 and work with threee this way we just inut our library and python will execute our payload instead of us executing directly um so trying that raising the bar who think that was enough to again gain a shell on this host so not any hands but okay let's see he did he did bypass that fancy EDR all you have to do is use a bit of getting out this other program to execute your payload so now we got begin in both

hosts and going be back to what I discussed earlier just run it low worth noting obviously if you know DS they have function call you have to call function so the same thing here with Shar libraries you just with uh the standard function call in Shar libraries is start W which here on the right so we just telling it start this function call and then the payload executes well on the left it's already executed payload from the beginning we don't have to call that function he knows where to enter and to execute a payload so we got beacons and I want to share with you from now until the end of the talk about things I've learned is a

thing sharing this information is quite important so the next part will be just tools that I learn about during the engagement and other technique stuff which could be helpful for you if you're doing a you're trying to compromise host and you want to use something else more stealth so that's going to be custom to toolings and when I start reading about all this modware invasions for Linux all this cool stuff most of them talk about Meed and how useful for it and when I read it and I'll give you a second to read it it made no sense for me because my head um everything in Linux is file like everything is treated as a file so

processes are files everything is a file so that made no sense for me it talks about how to execute um code code only memory instead in ROM and doesn't back up by a file so I went and I spoke to someone and try to figure out where was my mistake where the I didn't figure out so in Linux everything is not file everything is standard in standard out or standard error everything start by streams of input and output and that's well what my mistake by misunderstooding I didn't understand it um so reading more about Ned and how it does it it creates annous file Des scripture Des scripture and I use that only in Ram and this sounds amazing

because it's everything we need it's all in memory no dropping anything to file it's Linux servers unlikely to get rebooted so we're all good and the filling of like CIS and windows sounds perfect it last think a bit into that and you can see here at the bottom just it's it's that easy to execute it like it's really easy to use so how does Meed Works um you can see here we car scripture it's does the memory allocations add zeros into it it set the permission correctly and then we can it's quite easy is return follow scripture and that's it we got our beacon in memory it's amazing and and this is how tools you

can use to actually abuse it elf in memory does why it says on the te execute the the binary itself into the memory straight away or you can even download that into memory and then ulx V is the system CES for Linux and we can abuse that as well there's a tool to do that the problem with with all that there if you remember my operation system running Kel 3.10 M was not created back then so wasn't good for me but hopeful it'll be good for you and helpful for you um and this is I want to speak about more stuff I learned and how you can stay stealthy during those engagements and um first thing I learned

no I knew about I never actually tried that is there is actually Buffs for a Linux as well so if you don't know what B is a beon object files it's a way in Windows to execute uh cof files which are basically a very raw file and they're very stealthy they're very stealthy it's really hard to detect so there's a Linux version for Linux great that's what we need thank you trusted te they created that library to execute L file on the memory a very St way so if you the one to stay evasive or add that to your C2 that's quite a good add on it's quite cool um and by the way this photo I

asked Google to create me a photo and that's why above and that's why it gave me because our AI are not that good with images yet and then other stuff I learned during the way is about digal L and that's addon from the last daon way to execute um execute file when you don't have WR permission and read only operation systems well it's it's very common in Carbones to have pods which are mounted read only and no execute so this is a good way to execute the payloads even with those limitations I commend looking at that uh YouTube talk and it's really cool they do quite of nice things in there so and next thing is worth noting is about Lan peas

how many of you used Lan peas in the past it's quite a few hands it's quite a wellknown tool require a lot it's quite good for previous escalation detect previous escalations methods in Linux but most of us download the binary execute it what's a better way is actually modifying it of course and they actually give in their repo a way to build uh Le pce with only choosing what you want so obviously a big big indicator of Lan pce could be the logo the ask out so you can just easily remove it by using this Builder on their repo don't execute every command just set up the section you want to do and use that the other thing wor sing are St

binaries these are quite big there's quite a known repo with like binaries of like enma LS and anything they are statically compiled they're used like you don't need any other files you can just drop this dis and use that tool but all the tools from that repo that under D are from seven years ago so I would recommend you to create a cicd pipeline and just do it yourself with uh more modern tools and more modern versions of them um I think other things I've learned during this are about dock like Dockers I know about Dockers in my head was well it's like executing in a VM I could just I have a Windows host and

have VM it's quite stealthy because the EDR mostly can't see into those VMS if I spin up a Docker machine and execute all my commands from that Docker might stay under the brother but as you can see here in this photo actually I was called by EDR for trying to do that so be careful trading there one did see into my Docker PS didn't see it so be careful this me yeah just trying to execute limes with a modified version and see what I can see each of the holes because it also has range of things and next slide is for the blue teamers so what can you do your cool blue teamer what you can do to actually detect those

environments is detect those things look it up a up armor which is the equivalent of um the up Locker in Windows or C C Linux which is uh permissions for AC's way to to stop stuff from executing or permission set correct permissions now don't forget the logs those are very important things so if you're blue trying to defend against C2 I highly recommend looking at those feel like is very sporadic like it's a lot of stuff but I just want to pass stuff I learned during this engagement to you guys I hope you'll find it interesting other things I've noticed during the engagement is well in Windows host it's quite easy to um determine what GD already coming gu there's many C

tools there are many Buffs to detect those in Linux there's no reer with all the EDR names and the services to use are started at if you find any other ID on there I'll happily accept R but um that's a good quite easy way to detect what EDR coming against and um and what you can do what you can do you obviously try go home and start your own lab with that IDE and try that other thing I didn't know about is uh MCH for Linux it's not just Windows there's only a Linux version which you can set itps and align it in your report and last few things are if you want to create your own lab you want to go home

and practice those small L smaller evasions this is quite a good stuff to go for and again things surprised me is uh cismon for Linux or progam for Linux they quite well known in the windows areas but you know they also exist for Linux so go and try go and practice and go U go sharpen your skills if you want to learn more this is a good link for tools that are or tools or tutorials about how to create malor for Linux and last but not least is what the client learned from this is we had daily calls to discuss theps what we try what we didn't try they wrote new rules for the edrs and um

we increased our detection rate a client came happy we increased our skills we learn from this we sharpen our Wei next time could be a lot better and uh clent was happy um that was my part of the talk now we're going to Max going to talk about WSL thanks hello everyone so um we split this talk into two um first half edan's just presented there and I'm going to present a little bit on um leveraging windows subsystem for Linux um to BU pass uh modern detection um uh when we're operating in kind of modern environments um so we'll we'll run through a basic introduction of WSL um how we can install it um common

malware we see which leverages W cell uh in uh in the wild dubbed bware um some use cases um or or ways that we can abuse this as red teamers or you know in offensive security um some visibility in Telemetry and then just some some other considerations and points of interest um at the end um by way of a quick sh hands does anyone really had much experience with WSL in the past okay cool cool so this is kind of aimed at um all levels um I won't be going into huge detail in individual sections um I'm trying to get a kind of cover all um to to kind of convey how it can be useful for us in

certain situations um but by all means it's not an depth look so uh there's not a huge amount of coverage or attention in the public eye U for WSL threat actors have been known to use containers or VMS uh to their advantage um uh there's been a few real world cases um if you search the internet you'll find a couple of blog posts um documenting this but there's not it's it's not doesn't seem to be a common occurrence it tends to um sort of um be those those few cases um and this is perhaps because there are some some prerequisites some constraints um it's quite frankly there are easy ways of getting the job done if you're

trying to stay under the radar um and execute malware on Windows hosts um but it is useful in in its own right so the main goal of this presentation is just to explain how it can be useful for us uh so as a basic overview Linux environment directly on Windows that is is kind of um as basic As It Gets but um it brings the advantages of Linux to Windows um it's installed by default on Windows 10 and above uh so that's including server editions uh Windows home and pro um and um although it's installed by default distributions won't be installed um by default um and that requires administrative rights to install a distribution um although those

distributions once installed can be accessed by low privilege users from the windows environment um so and there there are a couple of differences in versions so the version main difference uh the main versions one and two um which we'll touch on a little bit later on um but version one uh uses a a translation layer it's effectively uh emulates the Linux kernel whereas W SL version two uses virtualization um so version one it uses PCO processes um I won't go into huge detail here but it's effectively a minimal process um without come some of the the the common um components of an NT process so no PEB um threading Etc and they rely on PCO providers um so uh

there's two here Alx ss. CYS and Alx core. CIS um and those uh PCO providers um act as Windows kernel mode drivers uh to emulate the Linux kernel so LX ss. CIS will translate um Linux CIS tools into windows and TS um which allow us to to run unmodified elf binaries on Windows version two then um the main difference here is is the the architecture change so um version two uses virtualization and that's uh on the Windows native hyperv um so uh you don't need to configure anything else um you don't need to install VMware or or virtual box it just run some hyperv um and it's built in um and this means that it has a complete

Linux kernel rather than acting as a translation layer um as as it does in version one um performance improvements in version two um mean that you get faster code execution um less memory used um among others uh and there is a difference in the loging capabilities in Windows um which we'll touch on a little bit later between the two two versions so we're going to talk about installation um this is kind of twofold so you can either use this in a test environment to set up if you wanted to install WSL and and have a player about or if you come across a host uh on a red team a Windows host where you have local

admin rights then you can use um this method to either install a distribution or if you need to to try and enable WSL to start with um so the differences in versions version one you probably won't be using this but um if you if you wanted to uh you can provision your windows VM or your um your windows workstation then enable WSL version one in Windows features uh and then you're free to install a distribution we can list distributions to see if any are currently installed or whether our installation's been successful uh I'll show you how to do that in a second um and in version two the only real difference is to enable virtualization and that's also done um

in Windows features so uh these are the basic steps here hopefully that's clear um we can enable using dim again enable virtualization doing the same uh and then we can install a distribution with A-D flag um to to name the distribution we want to install we can also list those uh there's like an online repository you can install these from the Microsoft store or uh via the command line um and uh post installation of a distri ution um for both versions you'll need to reboot um and then we can list our distributions with the list flag shown at the bottom there Bashar then so uh H you might be asking has it really been used for

malicious purposes in the world you know apparently it has um if you if you do a search there there's a little bit of information out there um but this is the term commonly used to describe WSL malware on Windows um there have been a few few variants in the world um mainly using python um nothing specifically um or especially Advanced um mainly using Python and C types um but there have been some cases of cross crossplatform compatible malware um targeting WSL um so why could it be useful for us as red teamers on our engagements um we're going to touch on um why we why we care effectively um so a couple of the capabilities it affords us

um we can execute commands through WSL so either on the command line as a oneliner or we can drop into a shell interactively and execute commands that way um we can execute Linux binaries uh so how is this useful to us there are some significant advantages to executing Linux binaries on Windows which we'll touch on in a minute um and this may allow us to execute uh malware which can evade AV EDR products um um they they're kind of they might be more blind to Linux based malware than Windows based malware this is not always the case um but it just kind of tips the odds in our favor from the windows side WSL files

can be accessed by standard Windows users um and less restricted and we'll touch on that um later on but um usually no elevation required is is is required to read sensitive files on the Linux file system from Windows which can be useful um and files are mounted from within the Linux distribution so um the the C driver is effectively mounted from with within the Linux distribution and that can be found in Mount c um in version two um there are some logging implications which um we'll touch on again in a minute but uh effectively any arguments you pass to an interactive WSL 2 session um will will might not be views visible in EDR or um Windows event

logs um you'll still be able to see the process creation but um command line arguments um won't be visible um there is also this kind of using Linux binaries and windows um affords us um possible application allow listing bypasses um so we uh if we were able to run elf binaries um or file types for to Windows it it's likely that um products like app Locker um may not be configured to block um specific files like that so you know elf files bash scripts uh and this could allow us to bypass these controls without having to use heavily monitored techniques like install um and then lastly we can call um WSL um we can we can use WSL uh programmatically uh

and one of the ways to do this is to use WSL API provided by by Microsoft um the link there at the bottom for the uh documentation we we'll touch on that a bit later on as well uh so I wanted to give a flavor of how straightforward it is to take advantage of this for offensive purposes um and um if if you imagine a scenario where we were dropping uh an msf Venom Windows executable to a Windows host um you know just a straight exe um the fight is going to be fairly one-sided in favor of the EDR AV products uh on the host um however if we were to change that to an elf binary and we just um

generate a standard msf Venom elf binary um nothing special um you can see I've used no encoders um um and I've I've not offc it after the fact um how many people in the room think that that is likely to get past a Windows EDR okay a few um but it does um AV and EDR static detection um uh so no no visible alerts uh the file wasn't blocked um this is an upto-date version of um of the AV as well you can see I've tested that I think five five days ago I retested that um so if we we were to drop that file to dis and we were to execute it in W cell this is in an

interactive W cell shell um then um we're able to execute that and obviously this is a very basic example just popping notepad but it shows you know what we can do um so if we wanted to dig a bit deeper into that then the process tree for execution can be seen in your EDR console of choice um on the left hand side you can see that the bash process has created notepad uh and we can kind of see the process Tree on the right hand side here um so it it is visible um but no static uh or behavioral based alerts have been triggered in the testing environment um you know and if we were

to have dropped a Windows ex ke the story be very different here um this opens up our options on target during a red team um or even a pentest if we're looking to bypass you know uh security controls um Linux binaries can be very useful so only a very simple example um but um we if we wanted to get a bit more creative um and we wanted to um for example get C2 uh Commander control um we could use this in a similar vein so um in this example here I've used uh chisel um which is an open source TCP udb client I'm sure most most of you have heard of um uses HTTP over

SSH um and I've compiled this it's written in goang I've compiled this as a an elf binary Linux executable um dropped it to box and we have successfully connected back to our C2 server um on the internet and we have an SSH tunnel connected there and that's on the same host as before um with AV EDR installed um so moving on to file restrictions uh there are some characteristics of how the file system works which can be helpful to us as an attacker um if a file is not readable in Linux um it may be possible to read this file from Windows as we touched on earlier so um files can be accessed using the file

explorer um wl. localhost followed by the distribution name um will give us uh the uh distribution rout directory and then we can browse to directory of choice here I've just viewed the shadow file in notepad um as a low privileged Windows user obviously as a a low privileged um Linux user you wouldn't be able to do that um so um there are some differences in in user restrictions both sides uh and if we wanted to we could take the hash there and crack it offline and pray and hope that the user has used that password for the windows user as well um if we wanted to build this out then uh some tooling to WSL one way we

could do that effectively is using WSL API which we touched on earlier um this is a Windows API uh and these are just a couple of the functions here um which could be useful so we can um we can uh check if a distribution is registered um we can launch that distribution uh with a command interactively um and we can even register distributions um ourselves so we can either register um default distributions or custom distributions and it is possible to build your own Custom Distribution um the default distributions are you know um fairly standard auntu Debian um I think there's even a Cali installation you can use um if you wanted some attacking tooling um and so with that in mind um I

built a small proof of Concepts just to see um what this looked like uh and execute the who am I command here as you can see on the right hand side um and this gives us the ability to execute Linux commands or local binaries um programmatically um and I've compiled that as a Windows executable um but that's using WSL API um and you can see here so it checks the distribution exists um it runs the command and then prints us the output um and that's using WSL launch interactive function um and written in C++ um very basic example um but if we wanted to modify that slightly then to to match the scenario we talked about earlier to gain

C2 control um then we could use uh that to run a local binary uh chisel binary elf binary in in the same directory um and that will um execute the local file uh which then reaches out and connects um via SSH to our C2 server so again very basic examples but um you know better programmers than I will be able to use that to to good effect um so we're going to talk about visibility and Telemetry a bit here when we talk about Vis and Telemetry um we're we are speaking about how a Defender might be able to track our activities as attackers um and uh how that might impact what we choose to do on target or

what we choose not to do um and it's always important to keep op opsc in mind um as a red teamer or or even as a pentester you know if you're trying to get the job done with with minimal resistance um it's a good idea to have some idea of the consequences of our actions On Target um so Windows event logs um Native Windows logging um can offer some visibility into um the activity we conduct through WSL uh however there are some differences in versions um cismon Can log process creation command line events executed by the user in version one um and uh version two is a slightly different story as you see on the next

slide so on the left hand side here um we've got apologies if that's quite small um I I'll explain it but we've got U WSL run as a single command um user just running who am I and you can see that the command line argument has been captured um and then on the right hand side we've run that from an interactive session and no command line arguments um have been captured there so um it will log process creation um and it will show um when new processes are created but you won't be able to see command line arguments which can afford us a little bit of movement when we're operating and trying to stay uh as stealthy as

possible um same view from EDR Telemetry then um on the left hand side it's a different command but it's the same concept we've used kl to reach out to a host on the local network and uh grab a uh download file um on the right we can see the process tree there we can see that um uh we can even see the command that's been used on the right hand side um from an interactive session all we can really see is the network traffic um so it's it's just a little bit of a difference in loging capabilities um when using um it on the command line or interactively in a in a shell um we're going to touch some a couple of

points of interest and considerations which I think I just have time for um so restricting access access if you uh can't view the file system from Linux um the Windows File system from Linux then it might be because of this um it's possible to restrict access to the file system using autom Mount and this is done by placing a comp file in the SC directory um and by uh setting that to false um it will prevent autom mounting of the windows Drive um we can also prevent windows processes from running um from within Linux and that's done um in the interrupt settings there uh as well um some Network considering uh considerations to make um just quickly

uh is the default mode is not based okay so you're going to be if you you're in a default uh distribution you're going to be um using nat-based networking architecture um which is not ideal U from an attacking machine within a local area network or an Enterprise environment for obvious reasons um however um uh mirrored mode networking does exist which is a feature which allows you to connect to w USL from the Lan um so if that's configured then you might have some more um maneuverability there um and this also offers IPv6 support um there's a DNS tuning feature which uses virtualization feature for DNS requests um um from within WSL without having to configure um

individual host names to IPS uh you know um and then Autoproxy this is an important one um is that if Auto proxy is enabled um then this will take Windows HTTP proxy information so system proxy information um in an Enterprise environment if you're up against Z scaler something like that and you're using and your the environment you're in is using that as a proxy um then Auto proxy will force WSL to use the same system proxy settings as Windows um so just one to knowe uh and then lastly persistence um much in the same way we would get persistance on a normal Linux host we can create or modify uh system D services to rep repeatedly execute

malicious uh payloads um uh as part of persistance um this isn't possible in WL version one as we we don't have full virtualization we don't have um system D or in it um but um we can still demonize WSL processes to to set them as persistent processes um but there are some limitations to this um which I don't really have time to go into as I think I'm on time um and that brings us to a close so some further reading uh if you if you want to look into to logging specifically um uh this white paper here at the top by Amanda drer is really good um covers some in-depth um logging capabilities for

WSL um the WSL um documentation for um the API and then the manual install steps as well there um and that brings us to a close thanks very much for listening