Investigating Windows Subsystem for Linux (WSL) Endpoints

Asif Matadar

Since the announcement of the Windows Subsystem for Linux (WSL) back in 2016, there has been a lot of excitement to try and leverage WSL across workstations and servers a like by organisations and those that work in the industry. With the announcement of WSL 2 and the architecture changes that have been incorporated, it is no surprise that the momentum and interest is only growing.

What does that mean for someone who works as a Digital Forensics & Incident Response professional? Well adversaries and malware authors have already started focussing their attention on WSL; therefore, it is important to understand the underlying architecture changes that will allow one to investigate a compromised Windows 10 or Windows Server 2019 in the not too distant future.

This talk will highlight the nuances to be aware of from a Digital Forensics & Incident Response perspective and illustrate forensic artefacts of interest, which will consist of compromised WSL Endpoints using 10 unique attacker techniques, such as Execution including Living Off The Land Binaries – LOLBins, Persistence, Lateral Movement, Command and Control, and Exfiltration.

About Asif Matadar

Asif (@d1r4c) is Director of Endpoint Detection & Response (EDR) at Tanium where he utilises his experience and knowledge of Incident Response, Endpoint Forensics, and Threat Landscape to support high-profile clients' around the world.

Asif has over 9 years’ experience in incident response leading high-profile cases, such as advanced targeted attacks, nation-state attacks, highly complex incidents, data breaches along with penetration tests on infrastructure, web and mobile applications.

Asif has particular interest in research where he has delivered presentations at industry recognised conferences internationally with a keen focus on memory analysis and automation, *nix-based forensics, PowerShell as a defence capability, cloud forensics, and triage analysis.