BleepingComputer • 4w
Microsoft Coreutils and the WSL2 Telemetry Blind Spot
Microsoft's introduction of native Coreutils and the architectural design of WSL2 have introduced a critical "telemetry blind spot" for Windows enterprise environments. By executing commands through a Hyper-V-isolated Linux kernel, attackers can perform "Indirect Command Execution" to bypass standard Windows monitoring. Specifically, network activity remains invisible to Sysmon EID 3, and file system modifications via the Plan 9 (9P) protocol are misattributed to the legitimate DllHost.exe process rather than the initiating Linux process. This decouples malicious activity from identifiable Windows process trees, complicating attribution and hindering the detection of payload staging and command-and-control (C2) communications.