Suspicious Execution via Windows Subsystem for Linux

calendar Apr 1, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Execution Tactic: Defense Evasion Data Source: Elastic Endgame Data Source: Elastic Defend  ·
Share on: linkedin copy

Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/01/13"
 3integration = ["endpoint", "windows", "system"]
 4maturity = "production"
 5updated_date = "2024/03/28"
 6min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 7min_stack_version = "8.3.0"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable 
13and use WSL for Linux to avoid detection.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Suspicious Execution via Windows Subsystem for Linux"
20references = [
21    "https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/",
22    "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/",
23    "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1"
24]
25risk_score = 21
26rule_id = "3e0eeb75-16e8-4f2f-9826-62461ca128b7"
27severity = "low"
28tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
29timestamp_override = "event.ingested"
30type = "eql"
31
32query = '''
33process where host.os.type == "windows" and event.type : "start" and
34  (
35    (
36      (process.executable : "?:\\Windows\\System32\\bash.exe" or ?process.pe.original_file_name == "Bash.exe") and 
37      not process.command_line : ("bash", "bash.exe")
38    ) or 
39    process.executable : "?:\\Users\\*\\AppData\\Local\\Packages\\*\\rootfs\\usr\\bin\\bash" or 
40    (
41      process.parent.name : "wsl.exe" and ?process.parent.command_line : "bash*" and not process.name : "wslhost.exe"
42    ) or 
43    (
44      process.name : "wsl.exe" and process.args : (
45        "curl", "/etc/shadow", "/etc/passwd", "cat", "--system", "root", "-e", "--exec", "bash", "/mnt/c/*"
46      ) and not process.args : ("wsl-bootstrap", "docker-desktop-data", "*.vscode-server*")
47    )
48  ) and 
49    not process.parent.executable : ("?:\\Program Files\\Docker\\*.exe", "?:\\Program Files (x86)\\Docker\\*.exe")
50'''
51
52
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1202"
57name = "Indirect Command Execution"
58reference = "https://attack.mitre.org/techniques/T1202/"
59
60[rule.threat.tactic]
61id = "TA0005"
62name = "Defense Evasion"
63reference = "https://attack.mitre.org/tactics/TA0005/"
64
65[[rule.threat]]
66framework = "MITRE ATT&CK"
67[[rule.threat.technique]]
68id = "T1059"
69name = "Command and Scripting Interpreter"
70reference = "https://attack.mitre.org/techniques/T1059/"
71
72    [[rule.threat.technique.subtechnique]]
73    id = "T1059.004"
74    name = "Unix Shell"
75    reference = "https://attack.mitre.org/techniques/T1059/004/"
76
77[rule.threat.tactic]
78id = "TA0002"
79name = "Execution"
80reference = "https://attack.mitre.org/tactics/TA0002/"

References

Related rules

to-top