Suspicious Execution via Windows Subsystem for Linux
Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/01/13"
3integration = ["endpoint", "windows", "system"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to
11avoid detection.
12"""
13from = "now-9m"
14index = [
15 "winlogbeat-*",
16 "logs-endpoint.events.process-*",
17 "logs-windows.*",
18 "endgame-*",
19 "logs-system.security*",
20]
21language = "eql"
22license = "Elastic License v2"
23name = "Suspicious Execution via Windows Subsystem for Linux"
24references = [
25 "https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/",
26 "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/",
27 "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1",
28]
29risk_score = 21
30rule_id = "3e0eeb75-16e8-4f2f-9826-62461ca128b7"
31severity = "low"
32tags = [
33 "Domain: Endpoint",
34 "OS: Windows",
35 "Use Case: Threat Detection",
36 "Tactic: Execution",
37 "Tactic: Defense Evasion",
38 "Data Source: Elastic Endgame",
39 "Data Source: Elastic Defend",
40]
41timestamp_override = "event.ingested"
42type = "eql"
43
44query = '''
45process where host.os.type == "windows" and event.type : "start" and
46 (
47 (
48 (process.executable : "?:\\Windows\\System32\\bash.exe" or ?process.pe.original_file_name == "Bash.exe") and
49 not process.command_line : ("bash", "bash.exe")
50 ) or
51 process.executable : "?:\\Users\\*\\AppData\\Local\\Packages\\*\\rootfs\\usr\\bin\\bash" or
52 (
53 process.parent.name : "wsl.exe" and ?process.parent.command_line : "bash*" and not process.name : "wslhost.exe"
54 ) or
55 (
56 process.name : "wsl.exe" and process.args : (
57 "curl", "/etc/shadow", "/etc/passwd", "cat", "--system", "root", "-e", "--exec", "bash", "/mnt/c/*"
58 ) and not process.args : ("wsl-bootstrap", "docker-desktop-data", "*.vscode-server*")
59 )
60 ) and
61 not process.parent.executable : ("?:\\Program Files\\Docker\\*.exe", "?:\\Program Files (x86)\\Docker\\*.exe")
62'''
63
64
65[[rule.threat]]
66framework = "MITRE ATT&CK"
67[[rule.threat.technique]]
68id = "T1202"
69name = "Indirect Command Execution"
70reference = "https://attack.mitre.org/techniques/T1202/"
71
72
73[rule.threat.tactic]
74id = "TA0005"
75name = "Defense Evasion"
76reference = "https://attack.mitre.org/tactics/TA0005/"
77[[rule.threat]]
78framework = "MITRE ATT&CK"
79[[rule.threat.technique]]
80id = "T1059"
81name = "Command and Scripting Interpreter"
82reference = "https://attack.mitre.org/techniques/T1059/"
83[[rule.threat.technique.subtechnique]]
84id = "T1059.004"
85name = "Unix Shell"
86reference = "https://attack.mitre.org/techniques/T1059/004/"
87
88
89
90[rule.threat.tactic]
91id = "TA0002"
92name = "Execution"
93reference = "https://attack.mitre.org/tactics/TA0002/"
References
Related rules
- Clearing Windows Console History
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process
- Control Panel Process with Unusual Arguments
- Disabling Windows Defender Security Settings via PowerShell