Windows Subsystem for Linux Enabled via Dism Utility

Attackers may enable the Windows Subsystem for Linux (WSL) to run Linux applications and tools directly on Windows, potentially bypassing security controls and hindering detection. This involves using the Dism.exe utility to enable the “Microsoft-Windows-Subsystem-Linux” feature. By leveraging WSL, adversaries can execute malicious code, access Windows resources, and perform various malicious activities while blending in with legitimate system processes. The use of WSL provides an environment where traditional Windows-based security solutions may have limited visibility, thus offering a way to evade detection. This activity has been observed as a post-exploitation technique, used after initial access to a compromised system.

Attack Chain

1. An attacker gains initial access to a Windows system through methods such as phishing, exploiting vulnerabilities, or using compromised credentials.
2. The attacker executes Dism.exe (Deployment Image Servicing and Management tool).
3. Dism.exe is invoked with the command-line argument to enable the “Microsoft-Windows-Subsystem-Linux” feature.
4. The system processes the Dism.exe command and enables WSL.
5. The attacker installs a Linux distribution (e.g., Ubuntu, Kali) within the WSL environment.
6. The attacker uses the WSL environment to execute Linux-based tools and scripts for reconnaissance, lateral movement, or data exfiltration.
7. The attacker leverages the WSL environment to interact with Windows resources or execute Windows commands.
8. The attacker achieves their objective, such as stealing sensitive data or establishing persistence on the compromised system.

Impact

Successful enablement of WSL can lead to a compromised Windows system being used as a platform for Linux-based attacks. This can result in data theft, system compromise, and further propagation of malicious activity within the network. The use of WSL can make it difficult to detect malicious activity since it allows attackers to blend Linux-based attacks with normal Windows operations. The lack of visibility into the WSL environment by traditional Windows security tools can lead to prolonged periods of undetected malicious activity.

Recommendation

• Monitor process creation events for the execution of Dism.exe with command-line arguments that include Microsoft-Windows-Subsystem-Linux to detect WSL enablement attempts (see Sigma rule Detect WSL Enablement via Dism).
• Enable Sysmon process creation logging to capture detailed command-line information for processes, which is crucial for detecting this activity (Sysmon Event ID 1).
• Implement the provided Sigma rule to detect suspicious usage of the DISM utility to enable WSL. Tune the rule based on your environment to minimize false positives.
• Investigate any alerts generated by the Sigma rule Detect WSL Enablement via Dism to determine the legitimacy of the activity.
• Monitor network connections originating from WSL processes for suspicious outbound traffic.
• Consider blocking the execution of Dism.exe if WSL is not a sanctioned tool in your environment.