ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: DT123
  • Created: 20th May 2025
  • Updated: 20th May 2025
  • Platform: Windows
  • Contributor: The ITM Team

Access to /mnt/c/ from Within WSL

Monitor for file access operations originating from within the WSL environment targeting the mounted Windows file system at /mnt/c/. This behavior allows the subject to interact with the Windows host's data from a Linux context—often bypassing traditional Windows auditing tools and event logs.

 

Detection Methods:

Enable command-line logging and process creation auditing for wsl.exe, bash.exe, or associated Linux shells (e.g., zsh, sh).
Correlate command-line arguments or shell histories that reference paths under /mnt/c/.
Use Sysmon (Event ID 1 – Process Creation) with advanced command-line rules or EDR telemetry to alert on file interactions such as:

 

  • cat /mnt/c/Users/...
  • cp /mnt/c/Users/Public/Documents/...
  • rm /mnt/c/Windows/System32/...

 

Track I/O operations on the Windows file system via WSL bridge using tools capable of inspecting WSL file operations (e.g., enhanced Sysmon configs or custom sensors on %LOCALAPPDATA%\Packages\ WSL paths).

 

Indicators:
Linux-based commands referencing mnt/c/Users, mnt/c/Windows, or mapped network drives.
High-volume copying, deletion, or modification of Windows files from inside WSL shells.
Use of obfuscation tools or compression (tar, gzip, openssl enc) within /mnt/c/.

Sections

ID Name Description
AF022.002Use of Windows Subsystem for Linux (WSL)

The subject leverages Windows Subsystem for Linux (WSL) to contain forensic artifacts within a Linux-like runtime environment embedded in Windows. By operating inside WSL, the subject avoids writing sensitive data, tool activity, or command history to traditional Windows locations, significantly reducing visibility to host-based forensic and security tools.

 

WSL creates a logical Linux environment that appears separate from the Windows file system. Although some host-guest integration exists, activity within WSL often bypasses standard Windows event logging, registry updates, and process tracking. This allows the subject to execute scripts, use Unix-native tools, stage exfiltration, or decrypt payloads with minimal footprint on the host.

 

Example Scenarios:

 

  • The subject downloads and processes sensitive files inside the WSL environment using native Linux tools (e.g., scp, gpg, rsync), preventing access and modification timestamps from appearing in Windows Explorer or standard audit logs.
  • A subject extracts and stages exfiltration material in /mnt/c within WSL, using symbolic links and Linux file permissions to obscure its presence from Windows search and indexing services.
  • WSL is used to execute recon and credential-harvesting scripts (e.g., nmap, hydra, ssh enumeration tools), with no execution trace in Windows Event Logs.
  • Upon completion of activity, the subject deletes the WSL distribution, leaving minimal residue on the host system—especially if no antivirus or EDR coverage extends into the WSL layer.