DIGITAL FORENSIC RESEARCH CONFERENCE

Investigating Windows Subsystem for Linux (WSL) Endpoints

By:
Asif Matadar (Tanium)

From the proceedings of

The Digital Forensic Research Conference

DFRWS 2020 USA
Virtual -- July 20-24

DFRWS is dedicated to the sharing of knowledge and ideas about digital forensics research. Ever since it organized the first open workshop devoted to digital forensics in 2001,
DFRWS continues to bring academics and practitioners together in an informal environment.
As a non-profit, volunteer organization, DFRWS sponsors technical working groups, annual conferences and challenges to help drive the direction of research and development.

https://dfrws.org
 Investigating WSL Endpoints
Asif Matadar
@d1r4c

DFRWS USA 2020

#whoami

• Director of Endpoint Detection & Response (EDR) at Tanium

• International public speaker:

• WSLConf (U.S.) 2020

• OSDFCon (U.S.) 2019
• OSDFCon (U.S.) 2018
• IMF (Germany) 2018
• OSDFCon (U.S.) 2017
• BSidesNOLA (U.S.) 2017
• BSidesMCR (U.K.) 2015

• Research focus on memory analysis and automation, *nix-based forensics, cloud forensics,
and triage analysis

©2017 Tanium. All rights reserved. 2

Investigating WSL Endpoints

• Since the announcement of the Windows Subsystem for Linux (WSL) back in 2016, there has been
a lot of excitement to try and leverage WSL across workstations and servers a like by organisations
and those that work in the industry.

• What does that mean for someone who works as a Digital Forensics & Incident Response
professional?
• Well adversaries and malware authors have already started focussing their attention on WSL;
therefore, it is important to understand the underlying architecture changes that will allow one
to investigate a compromised Windows 10 or Windows Server 2019 in the not too distant
future.

• This talk will highlight the nuances to be aware of from a Digital Forensics & Incident Response
perspective and illustrate forensic artefacts of interest, which will consist of a forensic examination
on a WSL Endpoint to provide the audience an appreciation of what that entails and share insights
that will assist them when the time arises.

©2017 Tanium. All rights reserved. 3

Agenda

• What is WSL 2?

• What does that mean for Digital Forensics & Incident Response professionals?

• Forensic examination on a WSL Endpoint

• 9 experiments

©2017 Tanium. All rights reserved. 4

What is WSL2?
What is WSL 2?

• Full System Call Compatibility

• WSL 2 has its own customised kernel specifically for WSL 2
• Docker

• WSL 1 had a translation layer to interpret the system calls, that allows them to
work on the Windows NT kernel

• Faster than WSL 1

• Raw sockets

©2017 Tanium. All rights reserved. 6

What is WSL 2?

• New architecture for Windows Subsystem for Linux

• Developed in-house kernel from stable branch at kernel.org source from version 4.19 kernel

• Customised kernel specifically for WSL 2

• As it’s developed by Microsoft, updates to the kernel will be serviced by Windows Update

• Lightweight Utility VM
• Hyper-V hypervisor

©2017 Tanium. All rights reserved. 7

What does that mean for Digital
Forensics & Incident Response
professionals?
 What does that mean for Digital Forensics & Incident Response
professionals?

• Full System Call Compatibility

• Lightweight Utility VM
• Hyper-V hypervisor
• Not a traditional Virtual Machine
• EXT4 Virtual Disk
• C:\Users\User\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu18.04onW
indows_79rhkp1fndgsc\LocalState\ext4.vhdx

• Management of WSL
• wsl.exe (WSL 2)
• wslconfig (WSL 1)

©2017 Tanium. All rights reserved. 9

What does that mean for Digital Forensics & Incident Response
professionals?

Environment Variables

©2017 Tanium. All rights reserved. 10

What does that mean for Digital Forensics & Incident Response
professionals?

WindowsApps

©2017 Tanium. All rights reserved. 11

What does that mean for Digital Forensics & Incident Response
professionals?

WindowsApps

©2017 Tanium. All rights reserved. 12

What does that mean for Digital Forensics & Incident Response
professionals?

WindowsApps

©2017 Tanium. All rights reserved. 13

What does that mean for Digital Forensics & Incident Response
professionals?

WindowsApps

©2017 Tanium. All rights reserved. 14

Forensic examination on a WSL
Endpoint
 Forensic examination on a WSL Endpoint

• Environment:

• Windows 10 Pro
• Version 2004
• Installed on 12/12/2019
• OS Build 19041.84

©2017 Tanium. All rights reserved. 16

 Forensic examination on a WSL Endpoint

• Experiments

1. Persistence: Bashrc
2. Persistence: Persistence through Inception! (Systemd)
3. Execution: PowerShell Reverse Shell
4. Execution: Python Download File
5. Lateral Movement: Remote File Copy
6. Command and Control: Custom Command and Control Protocol
7. Execution: wsl.exe
8. Execution: bash.exe
9. Execution: curl.exe

©2017 Tanium. All rights reserved. 17

Persistence: Bashrc
Forensic examination on a WSL Endpoint
Persistence: Bashrc

Registry Key: HKEY_CURRENT_USER\Environment

Registry Key Name: BASH_ENV
Registry Data Name: /etc/bash.bashrc

©2017 Tanium. All rights reserved. 19

Forensic examination on a WSL Endpoint
Persistence: Bashrc

Modify /etc/bash.bashrc Attacker Listener

©2017 Tanium. All rights reserved. 20

Forensic examination on a WSL Endpoint
Persistence: Bashrc

• Trace the MAC times and data contents

• /etc/bash.bashrc, ~/.bash_history, ~/.sh_history
• Timeline of the inodes

• Process Execution:
• AMCache Program Entries
• 2020-02-26 10:21:57,CanonicalGroupLimited.UbuntuonWindows,1804.2019.521
• AMCache Associated File Entries
• CanonicalGroupLimited.UbuntuonWindows,2019-12-12 21:48:22
• AppCompactCache
• C:\Program
Files\WindowsApps\CanonicalGroupLimited.UbuntuonWindows_1804.2019.521.0_x64
__79rhkp1fndgsc\ubuntu.exe
• CanonicalGroupLimited.UbuntuonWindows

©2017 Tanium. All rights reserved. 21

Forensic examination on a WSL Endpoint
Persistence: Bashrc

• UserAssist

©2017 Tanium. All rights reserved. 22

Forensic examination on a WSL Endpoint
Persistence: Bashrc

• Prefetch
• /Windows/Prefetch/UBUNTU.EXE-39E7ED6A.pf

• MFT
• /Users/User/AppData/Local/Packages/CanonicalGroupLimited.UbuntuonWindows_79rhkp1
fndgsc/LocalState/ext4.vhdx
• /Users/User/AppData/Local/Microsoft/WindowsApps/ubuntu.exe
• /Users/User/AppData/Local/Microsoft/WindowsApps/CanonicalGroupLimited.UbuntuonWi
ndows_79rhkp1fndgsc/ubuntu.exe

©2017 Tanium. All rights reserved. 23

Persistence: Persistence through
Inception! (Systemd)
Forensic examination on a WSL Endpoint
Persistence: Persistence through Inception! (Systemd)

Systemd Service Attacker Listener

©2017 Tanium. All rights reserved. 25

Forensic examination on a WSL Endpoint
Persistence: Persistence through Inception! (Systemd)

Run Key Attacker Listener

©2017 Tanium. All rights reserved. 26

Forensic examination on a WSL Endpoint
Persistence: Persistence through Inception! (Systemd)

• Systemd Journals
• /run/log/journal/*/system.journal
• /run/systemd/journal/*

• Systemd configuration files

• /etc/systemd/system/*
• /run/systemd/*
• /var/lib/systemd/*
• /usr/lib/systemd/*

• Registry Artefacts for persistence

©2017 Tanium. All rights reserved. 27

Forensic examination on a WSL Endpoint
Persistence: Persistence through Inception! (Systemd)

tmp Directory MAC Times

First and last interacted

©2017 Tanium. All rights reserved. 28

Execution: PowerShell Reverse Shell
 Forensic examination on a WSL Endpoint
Execution: PowerShell Reverse Shell

PowerShell
Reverse
Shell

Attacker
Listener

©2017 Tanium. All rights reserved. 30

Execution: Python Download File
Forensic examination on a WSL Endpoint
Execution: Python Download File

Python
Download
File

©2017 Tanium. All rights reserved. 32

Lateral Movement: Remote File Copy
Forensic examination on a WSL Endpoint
Lateral Movement: Remote File Copy

Enable trace

©2017 Tanium. All rights reserved. 34

Forensic examination on a WSL Endpoint
Lateral Movement: Remote File Copy

netsh trace start Download file with python

©2017 Tanium. All rights reserved. 35

Forensic examination on a WSL Endpoint
Lateral Movement: Remote File Copy

Stop trace

©2017 Tanium. All rights reserved. 36

Forensic examination on a WSL Endpoint
Lateral Movement: Remote File Copy

Download file with python

©2017 Tanium. All rights reserved. 37

Forensic examination on a WSL Endpoint
Lateral Movement: Remote File Copy

Download file with python

Extract and download file

©2017 Tanium. All rights reserved. 38

Command and Control: Custom
Command and Control Protocol
 Forensic examination on a WSL Endpoint
Command and Control: Custom Command and Control Protocol

Start trace

©2017 Tanium. All rights reserved. 40

Forensic examination on a WSL Endpoint
Command and Control: Custom Command and Control Protocol

Socat Reverse Shell

©2017 Tanium. All rights reserved. 41

 Forensic examination on a WSL Endpoint
Command and Control: Custom Command and Control Protocol

Stop trace

©2017 Tanium. All rights reserved. 42

Forensic examination on a WSL Endpoint
Command and Control: Custom Command and Control Protocol

Socat Reverse Shell

©2017 Tanium. All rights reserved. 43

Forensic examination on a WSL Endpoint
Command and Control: Custom Command and Control Protocol

Socat Reverse Shell

©2017 Tanium. All rights reserved. 44

Execution: wsl.exe
 Forensic examination on a WSL Endpoint
Execution: wsl.exe

wsl.exe Execution

©2017 Tanium. All rights reserved. 46

Forensic examination on a WSL Endpoint
Execution: wsl.exe

wsl.exe Execution

©2017 Tanium. All rights reserved. 47

Forensic examination on a WSL Endpoint
Execution: wsl.exe

©2017 Tanium. All rights reserved. 48

Forensic examination on a WSL Endpoint
Execution: wsl.exe

• Process command line activity

• Process lineage

• Caveat:
• Execution of Linux commands will not be saved in ~/.bash_history, ~/.sh_history, etc,

©2017 Tanium. All rights reserved. 49

Execution: bash.exe
Forensic examination on a WSL Endpoint
Execution: bash.exe

bash.exe Execution

©2017 Tanium. All rights reserved. 51

Execution: curl.exe
Forensic examination on a WSL Endpoint
Execution: curl.exe

curl.exe Execution

©2017 Tanium. All rights reserved. 53

 Conclusion

• Adversaries and malware authors will continue to explore attack surfaces on WSL 2, as it
becomes more prevalent across enterprise environments

• WSL 2 Endpoints is going to make Digital Forensics and Incident Response professionals lives a
lot more interesting

• I highlighted 9 techniques based on my initial research, but I expect there to be more attack
surfaces with WSL 2

©2017 Tanium. All rights reserved. 54

 References
• OSDFCon 2019: Investigating Linux Endpoints
• https://www.osdfcon.org/presentations/2019/Asif-Matadar_Investigating-Linux-Endpoints.pdf

• https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/

• https://twitter.com/d1r4c/status/1280196218308694016

• https://lolbas-project.github.io/lolbas/Binaries/Bash/

• https://twitter.com/d1r4c/status/1279085773522862082

• https://twitter.com/d1r4c/status/1279042657508081664

©2017 Tanium. All rights reserved. 55

Thank you