As Windows development marches on, with it comes numerous improvement and innovations. However, as with all technical advances, this can lead to unexpected vulnerabilities or systems to maliciously exploit. WSL2 is the new and improved Linux subsystem in Windows. WSL is a built-in mechanism that allows Linux distributions to be installed and run as a component of the host OS.
We have shown in previous papers how WSL1 could be used for malicious actions. In this paper, we explore the new and improved WSL2 explaining its operational makeup, its potential appeal to attackers and investigate potential malicious capabilities. We will dissect the primary difference between the legacy and new system and explain the benefits and flaws of this upgrade. We outline some of the flaws in the configuration as well as provide tested malicious behavior (with POC) that can be deployed using WSL2.
By understanding the key differences and potentially malicious behavior, we will also provide a defensive monitoring evaluation and explain the potential methods of detection for this component. We also explain the key differences in detection between the two versions and the difficulties that arise from the new architecture.