Insider Threat Matrix™Insider Threat Matrix™
  • ID: DT124
  • Created: 20th May 2025
  • Updated: 20th May 2025
  • Platform: Windows
  • Contributor: The ITM Team

Installation of New WSL Distributions

Monitor for the registration or installation of new WSL distributions on Windows systems. This may indicate preparation for anti-forensics staging, tool isolation, or evasion of host-based controls by enabling a new, hidden runtime environment.

 

Detection Methods:
Monitor for execution of the following commands:

 

  • wsl --install
  • wsl --import
  • wsl --set-default-version
  • wsl --update

 

Log and alert on new subdirectory creation under %LOCALAPPDATA%\Packages\ matching known Linux distro patterns (e.g., CanonicalGroupLimited.Ubuntu..., Debian..., KaliLinux...).
Monitor Microsoft Store activity related to Linux distributions or track installation events via Windows AppX logs or PowerShell module activity.
Enable Windows Defender Application Control (WDAC), AppLocker, or other control plane policies to restrict execution of unapproved WSL distributions or wsl.exe by unprivileged users.

 

Indicators:
First-time installation of Linux distributions on non-developer endpoints.
Installation of niche or security-focused distributions (e.g., Kali Linux, Parrot OS) by non-security staff.
Rapid creation and deletion of WSL environments.
Distributions installed using --import with local or remote image files.

Sections

ID Name Description
AF035Native Application Misuse

Native application misuse occurs when a subject uses applications, services, binaries, scripts, or administrative utilities already present on a corporate endpoint or server to support, conceal, or facilitate an infringement without introducing new software. This may include exploring built-in operating system/command line tools, approved productivity applications, scripting environments, messaging clients, compression utilities, remote access components, cloud storage integrations, or endpoint management features to identify capabilities that can be repurposed for unauthorized outcomes.

 

The anti-forensics significance of this behavior is that the subject’s activity may appear consistent with legitimate operational use. Unlike the installation of unauthorized tools or overt malware, native application misuse relies on capabilities that are already trusted, allowed, or commonly present in the environment. This can make it difficult for investigators to distinguish legitimate activity from illegitimate activity without strong context, baseline comparison, command-line visibility, file access history, and correlation with the subject’s role, timing, intent, and surrounding investigative indicators.

 

A subject may deliberately elect to use a more complicated or convoluted method to achieve an illegitimate outcome when that method relies on native applications or approved services. In these cases, the subject may avoid introducing external software even where doing so would make the task faster, simpler, or more technically effective. The investigative significance is that the inefficient method may itself be purposeful: by operating through trusted tools already present on the endpoint, the subject reduces the number of distinct control violations, avoids software-installation indicators, and makes the activity harder to separate from legitimate business use.

 

This behavior may contribute to or facilitate an infringement by allowing a subject to stage, compress, transfer, hide, rename, encode, delete, alter, or access data using tools that do not independently appear suspicious. It may also support behavioral drift where repeated minor misuse of approved tools becomes normalized within a team or population, reducing the organization’s ability to identify meaningful deviations from acceptable use.

 

Investigative Relevance

Native application misuse should be assessed in relation to the subject’s role, normal working patterns, endpoint baseline, approved business processes, and the sensitivity of the data involved. Investigators should avoid treating native tool execution as inherently suspicious. The investigative concern arises when the subject uses ordinary capabilities in unusual combinations, at unusual times, against unusual data, or in ways that produce outcomes inconsistent with their duties.

 

Investigators should consider whether the subject’s chosen method appears unnecessarily complex when compared with easier external tooling options. Where a subject uses native applications in a slower, more manual, or more indirect manner, that choice may indicate an intent to preserve plausible legitimacy, avoid detection associated with unauthorized software, or obscure the behavioral sequence required to prove intent.

 

Relevant case logic may include:

  • A subject using built-in archive, scripting, browser, synchronization, or file management capabilities shortly before data loss, unauthorized access, or sabotage.
  • A subject performing repeated exploratory activity against native utilities, administrative consoles, local services, or corporate applications that are not required for their role.
  • A subject using approved tools to perform actions more commonly associated with staging, concealment, bulk collection, transfer, or destruction.
  • A subject’s activity remaining below traditional software-control thresholds because no new executable, installer, or external application was introduced.
  • A pattern of activity that appears individually explainable but collectively supports preparation, infringement, or anti-forensic concealment.

Example Behaviors

  • Using built-in compression or archive utilities to stage sensitive files before transfer.
  • Using PowerShell, shell scripts, command prompt, Terminal, or Windows Subsystem for Linux to enumerate, copy, encode, delete, or modify files.
  • Using corporate browsers, browser profiles, or approved extensions to access unsanctioned services without installing additional tools.
  • Using approved cloud synchronization clients to move files into locations that are less visible to standard file-share auditing.
  • Using native search, indexing, preview, or document history features to locate sensitive material outside normal workflow.
  • Using operating system rename, timestamp, metadata, recycle bin, clipboard, print-to-PDF, screenshot, or export functions to alter the appearance, location, or traceability of data.
  • Using existing remote access, collaboration, or screen-sharing services to view, transfer, or disclose information under the appearance of legitimate work activity.
  • Using scheduled tasks, launch agents, login items, shortcuts, or automation features already present on the endpoint to repeat activity without installing new software.
AF022.002Use of Windows Subsystem for Linux (WSL)

The subject leverages Windows Subsystem for Linux (WSL) to contain forensic artifacts within a Linux-like runtime environment embedded in Windows. By operating inside WSL, the subject avoids writing sensitive data, tool activity, or command history to traditional Windows locations, significantly reducing visibility to host-based forensic and security tools.

 

WSL creates a logical Linux environment that appears separate from the Windows file system. Although some host-guest integration exists, activity within WSL often bypasses standard Windows event logging, registry updates, and process tracking. This allows the subject to execute scripts, use Unix-native tools, stage exfiltration, or decrypt payloads with minimal footprint on the host.

 

Example Scenarios:

 

  • The subject downloads and processes sensitive files inside the WSL environment using native Linux tools (e.g., scp, gpg, rsync), preventing access and modification timestamps from appearing in Windows Explorer or standard audit logs.
  • A subject extracts and stages exfiltration material in /mnt/c within WSL, using symbolic links and Linux file permissions to obscure its presence from Windows search and indexing services.
  • WSL is used to execute recon and credential-harvesting scripts (e.g., nmap, hydra, ssh enumeration tools), with no execution trace in Windows Event Logs.
  • Upon completion of activity, the subject deletes the WSL distribution, leaving minimal residue on the host system—especially if no antivirus or EDR coverage extends into the WSL layer.