Search

Windows Subsystem for Linux, shortened to WSL, allows for a Linux command line to be run inside Windows without the system requirements of a virtual machine or a dual boot setup. You can run bash scripts and Linux command line apps, such as vim, NodeJS, and Apache. You can also invoke Windows applications from Linux and Linux applications from Windows. With WSL, you can run most command-line tools, applications, and utilities easily. Windows touts WSL mainly as a tool for developers (especially web developers and those who work on open-source projects), but it can be helpful for anyone, especially if you prefer using Linux, but need to use Windows.




There are two versions of WSL, helpfully called WSL 1 and WSL 2. WSL 1 allows for performance across OS file systems, but WSL 2 has the benefits of a managed VM, full Linux kernel, and full system call compatibility. Both versions, however, support full integration between Windows and Linux, fast boot times, small resource footprint, and they both run with current versions of VMWare and VirtualBox. Depending on your needs, Windows still allows for both versions to be downloaded and used, giving the option to the user. (In fact, you need to install WSL 1 first in order to upgrade to WSL 2.)




Installing WSL is easy and requires just a few commands, however it is only available for 64-bit versions of Windows 10. This is where you can choose to upgrade to WSL 2 if you wish to use that right away. It is important to note that you can choose to upgrade to WSL 2 at any time later if you wish to use version 1 first for a while. The installation process does require a system restart to fully install. There are actually two different ways to install, one of which is a manual setup and gives the user more control of exactly how things are done. This process can also be done on a virtual machine so that you can have a Windows 10 VM with WSL installed.




Perhaps the best feature of WSL is that you can choose which version of Linux you wish to run. They provide a range of options, such as several Ubuntu versions, Kali, Debian, Fedora, and others. These options can be downloaded directly from the Microsoft Store. You can also have several different versions installed and running at the same time, allowing for a range of command line functions based on exactly what you need. You also have the option to create and run custom distributions of Linux, as well, which expands the options presented in WSL even further.

Below is the list of Linux versions that are in the Windows Store.



Launching WSL is really easy once it is installed. The particular installation of Linux that you chose shows up in the Windows start menu and you start it as you would any other application. This makes the start up of any WSL installation very accessible.



The WSL terminal is very similar to the normal Linux one. If you wish to open the Linux directory and see where the files are stored, simply enter explorer.exe and file explorer will open to the location where WSL stores everything. WSL however, does not support a GUI (and likely won’t ever), so it is important to be familiar with the Linux command line. Below is an example of a Ubuntu Terminal on launch.


From here, you can run most of the normal Linux commands and install Linux applications if you wish. The terminal reacts the same as a normal Linux terminal, which is a huge upside.


Updated: Jan 25

Sysmon (system monitor) is a Windows system device and device driver. It monitors and logs system activities and provides more detailed logs than the native windows tools. Sysmon can be used to identify malicious activity and understand how an attacker or malware may move through your network.

While Sysmon is a Windows tool, it is not preinstalled and requires a separate download from Microsoft. Sysmon also does not analyze the logs it collects itself; that job is left to you. It also does not try and hide itself from attackers and it can be deleted easily in an attack.


Sysmon is a really useful tool due to its numerous features. Some of Sysmon's features include logging process creation for both current and parent processes, record the hash values of process image files, and allows for multiple hashes to be used at once. One of Sysmon's particularly useful features is that it assigns process and session GUIDs to allow for event correlation and this means that you can track events to a specific login or user session. Sysmon also logs the loading of drivers and DLLs with their signatures and hashes.

It can also log a lot of data about network connections such as IP addresses, port names and numbers, hostnames, and each connections source process. Sysmon detects changes in file creation time which is a useful forensic tool. Sysmon allows for rule filtering so it can be tailored to your specific needs. Finally, sysmon logs events from early on in the boot process to help capture activity made by kernel mode malware.


Sysmon is so useful because of how much more detailed its logs are. Below is a standard Windows log of process creation; it provides some information such as process info like the name and process ID.

However, when compared to a sysmon log, it seems sparse in its information. Below is a Sysmon log of a process creation and it shows much more information.

Here, we can see some of the features discussed above, such as hash values and the GUIDs that allow for event correlation.


Sysmon uses its own Event ID system and adds 24 IDs specific to Sysmon. An example of some of these ID's include Event ID 1 (shown above, process creation) , Event ID 3 (network connection), Event ID 5 (Process termination), and event ID 11 (file creation). Event ID 255 is a sysmon failure.


Sysmon also adds its own log inside of the Windows Event Viewer, which allows for it to be looked through quicker. Sysmon is non-intrusive and can be accessed alongside the native Windows logs.