Use of Windows Subsystem for Linux (WSL)

By only allowing pre-approved software to be installed and run on corporate devices, the subject is unable to install software themselves.

A Data Loss Prevention (DLP) solution refers to policies, technologies, and controls that prevent the accidental and/or deliberate loss, misuse, or theft of data by members of an organization. Typically, DLP technology would take the form of a software agent installed on organization endpoints (such as laptops and servers).

Typical DLP technology will alert on the potential loss of data, or activity which might indicate the potential for data loss. A DLP technology may also provide automated responses to prevent data loss on a device.

The Principle of Least Privilege should be enforced, and period reviews of permissions conducted to ensure that accounts have the minimum level of access required to complete duties as per their role.

Establish and maintain formal, well-communicated pathways for personnel to request resources, report deficiencies, or propose operational improvements. By providing structured mechanisms to meet legitimate needs, organizations reduce the likelihood that subjects will bypass policy controls through opportunistic or unauthorized actions.

Implementation Approaches

• Create clear, accessible request processes for technology needs, system enhancements, and operational support requirements.
• Ensure personnel understand how to escalate unmet needs when standard processes are insufficient, including rapid escalation pathways for operational environments.
• Maintain service-level agreements (SLAs) or expected response times to requests, ensuring perceived barriers or delays do not incentivize unofficial action.
• Integrate feedback mechanisms that allow users to suggest improvements or report resource shortfalls anonymously or through designated representatives.
• Publicize successful examples where formal channels resulted in legitimate needs being met, reinforcing the effectiveness and trustworthiness of the system.

Operational Principles

• Responsiveness: Requests must be acknowledged and processed promptly to prevent frustration and informal workarounds.
• Transparency: Personnel should be informed about request status and outcomes to maintain trust in the process.
• Accountability: Ownership for handling requests must be clearly assigned to responsible teams or individuals.
• Cultural Integration: Leaders and supervisors should reinforce the use of formal channels and discourage unsanctioned self-remediation efforts.

Monitor for file access operations originating from within the WSL environment targeting the mounted Windows file system at /mnt/c/. This behavior allows the subject to interact with the Windows host's data from a Linux context—often bypassing traditional Windows auditing tools and event logs.

Detection Methods:

Enable command-line logging and process creation auditing for wsl.exe, bash.exe, or associated Linux shells (e.g., zsh, sh).
Correlate command-line arguments or shell histories that reference paths under /mnt/c/.
Use Sysmon (Event ID 1 – Process Creation) with advanced command-line rules or EDR telemetry to alert on file interactions such as:

• cat /mnt/c/Users/...
• cp /mnt/c/Users/Public/Documents/...
• rm /mnt/c/Windows/System32/...

Track I/O operations on the Windows file system via WSL bridge using tools capable of inspecting WSL file operations (e.g., enhanced Sysmon configs or custom sensors on %LOCALAPPDATA%\Packages\ WSL paths).

Indicators:
Linux-based commands referencing mnt/c/Users, mnt/c/Windows, or mapped network drives.
High-volume copying, deletion, or modification of Windows files from inside WSL shells.
Use of obfuscation tools or compression (tar, gzip, openssl enc) within /mnt/c/.

An agent capable of Endpoint Detection and Response (EDR) is a software agent installed on organization endpoints (such as laptops and servers) that (at a minimum) records the Operating System, application, and network activity on an endpoint.

Typically EDR operates in an agent/server model, where agents automatically send logs to a server, where the server correlates those logs based on a rule set. This rule set is then used to surface potential security-related events, that can then be analyzed.

An EDR agent typically also has some form of remote shell capability, where a user of the EDR platform can gain a remote shell session on a target endpoint, for incident response purposes. An EDR agent will typically have the ability to remotely isolate an endpoint, where all network activity is blocked on the target endpoint (other than the network activity required for the EDR platform to operate).

An agent capable of User Activity Monitoring (UAM) is a software agent installed on organization endpoints (such as laptops); typically, User Activity Monitoring agents are only deployed on endpoints where a human user Is expected to conduct the activity.

The User Activity Monitoring agent will typically record Operating System, application, and network activity occurring on an endpoint, with a focus on activity that is or can be conducted by a human user. The purpose of this monitoring is to identify undesirable and/or malicious activity being conducted by a human user (in this context, an Insider Threat).

Typical User Activity Monitoring platforms operate in an agent/server model where activity logs are sent to a server for automatic correlation against a rule set. This rule set is used to surface activity that may represent Insider Threat related activity such as capturing screenshots, copying data, compressing files or installing risky software.

Other platforms providing related functionality are frequently referred to as User Behaviour Analytics (UBA) platforms.

An agent capable of User Behaviour Analytics (UBA) is a software agent installed on organizational endpoints (such as laptops). Typically, User Activity Monitoring agents are only deployed on endpoints where a human user is expected to conduct the activity.

The User Behaviour Analytics agent will typically record Operating System, application, and network activity occurring on an endpoint, focusing on activity that is or can be conducted by a human user. Typically, User Behaviour Analytics platforms operate in an agent/server model where activity logs are sent to a server for automatic analysis. In the case of User Behaviour Analytics, this analysis will typically be conducted against a baseline that has previously been established.

A User Behaviour Analytic platform will typically conduct a period of ‘baselining’ when the platform is first installed. This baselining period establishes the normal behavior parameters for an organization’s users, which are used to train a Machine Learning (ML) model. This ML model can then be later used to automatically identify activity that is predicted to be an anomaly, which is hoped to surface user behavior that is undesirable, risky, or malicious.

Other platforms providing related functionality are frequently referred to as User Activity Monitoring (UAM) platforms.

Monitor for the registration or installation of new WSL distributions on Windows systems. This may indicate preparation for anti-forensics staging, tool isolation, or evasion of host-based controls by enabling a new, hidden runtime environment.

Detection Methods:
Monitor for execution of the following commands:

• wsl --install
• wsl --import
• wsl --set-default-version
• wsl --update

Log and alert on new subdirectory creation under %LOCALAPPDATA%\Packages\ matching known Linux distro patterns (e.g., CanonicalGroupLimited.Ubuntu..., Debian..., KaliLinux...).
Monitor Microsoft Store activity related to Linux distributions or track installation events via Windows AppX logs or PowerShell module activity.
Enable Windows Defender Application Control (WDAC), AppLocker, or other control plane policies to restrict execution of unapproved WSL distributions or wsl.exe by unprivileged users.

Indicators:
First-time installation of Linux distributions on non-developer endpoints.
Installation of niche or security-focused distributions (e.g., Kali Linux, Parrot OS) by non-security staff.
Rapid creation and deletion of WSL environments.
Distributions installed using --import with local or remote image files.

This detection is not enabled by default and requires additional configuration.

System Monitor (Sysmon) Event ID 1 is used to record process execution. Reviewing these logs can determine what software has been run on a system.

Deploy User and Entity Behavior Analytics (UEBA) solutions designed for cloud environments to monitor and analyze the behavior of users, applications, network devices, servers, and other non-human resources. UEBA systems track normal behavior patterns and detect anomalies that could indicate potential insider events. For instance, they can identify when a user or entity is downloading unusually large volumes of data, accessing an excessive number of resources, or engaging in data transfers that deviate from their usual behavior.

Implement User Behavior Analytics (UBA) tools to continuously monitor and analyze user (human) activities, detecting anomalies that may signal security risks. UBA can track and flag unusual behavior, such as excessive data downloads, accessing a higher-than-usual number of resources, or large-scale transfers inconsistent with a user’s typical patterns. UBA can also provide real-time alerts when users engage in behavior that deviates from established baselines, such as accessing sensitive data during off-hours or from unfamiliar locations. By identifying such anomalies, UBA enhances the detection of insider events.