Strange behavior on WSL2 Debian with SentinelOne

[SummaCumWilly]

I don't know if other folks have/will run into this or not, but I just want to mark it down.

When I call this library inside my WSL2 Debian box, my WSL session gets killed by SentinelOne due to a windows.penetration event in the detection engine with a "Malware detected!" alert.

SentinelOne is looking into it for further details. I'll update this if I get any meaningful further information.

[TheMysteriousX]

The normal cause of false positives like this is that some malware makes use of a library, and the AV vendor has just blindly added every single file.

Most of the heavy lifting is done using secrets and hashlib... does your shell get killed if you just fire up a repl and do something like:

import hashlib
import string
import secrets
foo = "".join(secrets.choice(string.ascii_letters + string.digits) for _ in range(10))
print(hashlib.sha1(foo.encode('utf-8')).digest().hex())

[SummaCumWilly]

Surprisingly (to me, at least) this does not kill it.

From Sentinel they said this was a false positive. The alert was flagged for this: THREAT INDCATOR(S) Evasion • Attempt to evade monitoring using the Process hollowing technique. • MITRE : Privilege Escalation [T1055.012] • MITRE : Defense Evasion [T1055.012]