Suspicious Execution via Windows Subsystem for Linux

calendar Oct 15, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Execution Tactic: Defense Evasion Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Microsoft Defender for Endpoint Data Source: Sysmon Data Source: SentinelOne  ·
Share on: linkedin copy

Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/01/13"
 3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 4maturity = "production"
 5updated_date = "2024/10/15"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to
13avoid detection.
14"""
15from = "now-9m"
16index = [
17    "winlogbeat-*",
18    "logs-endpoint.events.process-*",
19    "logs-windows.sysmon_operational-*",
20    "endgame-*",
21    "logs-m365_defender.event-*",
22    "logs-sentinel_one_cloud_funnel.*",
23]
24language = "eql"
25license = "Elastic License v2"
26name = "Suspicious Execution via Windows Subsystem for Linux"
27references = [
28    "https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/",
29    "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/",
30    "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1",
31]
32risk_score = 21
33rule_id = "3e0eeb75-16e8-4f2f-9826-62461ca128b7"
34severity = "low"
35tags = [
36    "Domain: Endpoint",
37    "OS: Windows",
38    "Use Case: Threat Detection",
39    "Tactic: Execution",
40    "Tactic: Defense Evasion",
41    "Data Source: Elastic Endgame",
42    "Data Source: Elastic Defend",
43    "Data Source: Microsoft Defender for Endpoint",
44    "Data Source: Sysmon",
45    "Data Source: SentinelOne",
46]
47timestamp_override = "event.ingested"
48type = "eql"
49
50query = '''
51process where host.os.type == "windows" and event.type : "start" and
52  (
53    (
54      (process.executable : "?:\\Windows\\System32\\bash.exe" or ?process.pe.original_file_name == "Bash.exe") and 
55      not process.command_line : ("bash", "bash.exe")
56    ) or 
57    process.executable : "?:\\Users\\*\\AppData\\Local\\Packages\\*\\rootfs\\usr\\bin\\bash" or 
58    (
59      process.parent.name : "wsl.exe" and process.parent.command_line : "bash*" and not process.name : "wslhost.exe"
60    ) or 
61    (
62      process.name : "wsl.exe" and process.args : (
63        "curl", "/etc/shadow", "/etc/passwd", "cat", "--system", "root", "-e", "--exec", "bash", "/mnt/c/*"
64      ) and not process.args : ("wsl-bootstrap", "docker-desktop-data", "*.vscode-server*")
65    )
66  ) and 
67    not process.parent.executable : ("?:\\Program Files\\Docker\\*.exe", "?:\\Program Files (x86)\\Docker\\*.exe")
68'''
69
70
71[[rule.threat]]
72framework = "MITRE ATT&CK"
73[[rule.threat.technique]]
74id = "T1202"
75name = "Indirect Command Execution"
76reference = "https://attack.mitre.org/techniques/T1202/"
77
78
79[rule.threat.tactic]
80id = "TA0005"
81name = "Defense Evasion"
82reference = "https://attack.mitre.org/tactics/TA0005/"
83[[rule.threat]]
84framework = "MITRE ATT&CK"
85[[rule.threat.technique]]
86id = "T1059"
87name = "Command and Scripting Interpreter"
88reference = "https://attack.mitre.org/techniques/T1059/"
89[[rule.threat.technique.subtechnique]]
90id = "T1059.004"
91name = "Unix Shell"
92reference = "https://attack.mitre.org/techniques/T1059/004/"
93
94
95
96[rule.threat.tactic]
97id = "TA0002"
98name = "Execution"
99reference = "https://attack.mitre.org/tactics/TA0002/"

References

Related rules

to-top