IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Signed Proxy Execution via MS Work Folders Windows Subsystem for Linux Enabled via Dism Utility »

› ›

Execution via Windows Subsystem for Linux

edit

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Execution via Windows Subsystem for Linux

edit

Detects attempts to execute a program on the host from the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.

Rule type: eql

Rule indices:

winlogbeat-*
logs-endpoint.events.process-*
logs-windows.*
endgame-*
logs-system.security*
logs-m365_defender.event-*
logs-sentinel_one_cloud_funnel.*
logs-crowdstrike.fdr*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://learn.microsoft.com/en-us/windows/wsl/wsl-config

Tags:

Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: System
Data Source: Microsoft Defender for Endpoint
Data Source: SentinelOne
Data Source: Crowdstrike

Version: 208

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

process where host.os.type == "windows" and event.type : "start" and
  process.parent.name : ("wsl.exe", "wslhost.exe") and
  not process.executable : (
        "?:\\Program Files (x86)\\*",
        "?:\\Program Files\\*",
        "?:\\Program Files*\\WindowsApps\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\wsl*.exe",
        "?:\\Windows\\System32\\conhost.exe",
        "?:\\Windows\\System32\\lxss\\wslhost.exe",
        "?:\\Windows\\System32\\WerFault.exe",
        "?:\\Windows\\Sys?????\\wslconfig.exe"
  ) and
  not (
    event.dataset == "crowdstrike.fdr" and
      process.executable : (
        "\\Device\\HarddiskVolume?\\Program Files (x86)\\*",
        "\\Device\\HarddiskVolume?\\Program Files\\*",
        "\\Device\\HarddiskVolume?\\Program Files*\\WindowsApps\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\wsl*.exe",
        "\\Device\\HarddiskVolume?\\Windows\\System32\\conhost.exe",
        "\\Device\\HarddiskVolume?\\Windows\\System32\\lxss\\wslhost.exe",
        "\\Device\\HarddiskVolume?\\Windows\\System32\\WerFault.exe",
        "\\Device\\HarddiskVolume?\\Windows\\Sys?????\\wslconfig.exe"
      )
  )

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Indirect Command Execution
- ID: T1202
- Reference URL: https://attack.mitre.org/techniques/T1202/

« Signed Proxy Execution via MS Work Folders Windows Subsystem for Linux Enabled via Dism Utility »