Execution via Windows Subsystem for Linux | Elastic Security Solution [8.13]

› › ›

« Execution via TSClient Mountpoint Execution via local SxS Shared Module »

Execution via Windows Subsystem for Linuxedit

Detects attempts to execute a program on the host from the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.

Rule type: eql

Rule indices:

winlogbeat-*
logs-endpoint.events.process-*
logs-windows.*
endgame-*
logs-system.security*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://learn.microsoft.com/en-us/windows/wsl/wsl-config

Tags:

Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend

Version: 6

Rule authors:

Elastic

Rule license: Elastic License v2

Rule queryedit

process where host.os.type == "windows" and event.type : "start" and
  process.parent.name : ("wsl.exe", "wslhost.exe") and
  not process.executable : (
        "?:\\Program Files (x86)\\*",
        "?:\\Program Files\\*",
        "?:\\Program Files*\\WindowsApps\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\wsl*.exe",
        "?:\\Windows\\System32\\conhost.exe",
        "?:\\Windows\\System32\\lxss\\wslhost.exe",
        "?:\\Windows\\System32\\WerFault.exe",
        "?:\\Windows\\Sys*\\wslconfig.exe"
  )

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Indirect Command Execution
- ID: T1202
- Reference URL: https://attack.mitre.org/techniques/T1202/

« Execution via TSClient Mountpoint Execution via local SxS Shared Module »