Suspicious Execution via Windows Subsystem for Linux

  1[metadata]
  2creation_date = "2023/01/13"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to
 11avoid detection.
 12"""
 13from = "now-9m"
 14index = [
 15    "winlogbeat-*",
 16    "logs-endpoint.events.process-*",
 17    "logs-windows.sysmon_operational-*",
 18    "endgame-*",
 19    "logs-m365_defender.event-*",
 20    "logs-sentinel_one_cloud_funnel.*",
 21]
 22language = "eql"
 23license = "Elastic License v2"
 24name = "Suspicious Execution via Windows Subsystem for Linux"
 25note = """## Triage and analysis
 26
 27> **Disclaimer**:
 28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 29
 30### Investigating Suspicious Execution via Windows Subsystem for Linux
 31
 32Windows Subsystem for Linux (WSL) allows users to run Linux binaries natively on Windows, providing a seamless integration of Linux tools. Adversaries may exploit WSL to execute Linux commands stealthily, bypassing traditional Windows security measures. The detection rule identifies unusual WSL activity by monitoring specific executable paths, command-line arguments, and parent-child process relationships, flagging deviations from typical usage patterns to uncover potential threats.
 33
 34### Possible investigation steps
 35
 36- Review the process command line and executable path to determine if the execution of bash.exe or any other Linux binaries is expected or authorized for the user or system in question.
 37- Investigate the parent-child process relationship, especially focusing on whether wsl.exe is the parent process and if it has spawned any unexpected child processes that are not wslhost.exe.
 38- Examine the command-line arguments used with wsl.exe for any suspicious or unauthorized commands, such as accessing sensitive files like /etc/shadow or /etc/passwd, or using network tools like curl.
 39- Check the user's activity history and system logs to identify any patterns of behavior that might indicate misuse or compromise, particularly focusing on any deviations from typical usage patterns.
 40- Correlate the alert with other security events or logs from data sources like Elastic Endgame, Microsoft Defender for Endpoint, or Sysmon to gather additional context and determine if this is part of a broader attack or isolated incident.
 41
 42### False positive analysis
 43
 44- Frequent use of WSL for legitimate development tasks may trigger alerts. Users can create exceptions for specific user accounts or directories commonly used for development to reduce noise.
 45- Automated scripts or tools that utilize WSL for system maintenance or monitoring might be flagged. Identify these scripts and whitelist their specific command-line patterns or parent processes.
 46- Docker-related processes may cause false positives due to their interaction with WSL. Exclude Docker executable paths from the detection rule to prevent unnecessary alerts.
 47- Visual Studio Code extensions that interact with WSL can generate alerts. Exclude known non-threatening extensions by specifying their command-line arguments in the exception list.
 48- Regular system updates or administrative tasks that involve WSL might be misidentified. Document these activities and adjust the detection rule to recognize them as benign.
 49
 50### Response and remediation
 51
 52- Isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
 53- Terminate any suspicious processes identified by the detection rule, such as those involving bash.exe or wsl.exe with unusual command-line arguments.
 54- Conduct a thorough review of the affected system's WSL configuration and installed Linux distributions to identify any unauthorized changes or installations.
 55- Remove any unauthorized or suspicious Linux binaries or scripts found within the WSL environment.
 56- Reset credentials for any accounts that may have been compromised, especially if sensitive files like /etc/shadow or /etc/passwd were accessed.
 57- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 58- Implement enhanced monitoring and logging for WSL activities across the network to detect similar threats in the future, ensuring that alerts are promptly reviewed and acted upon."""
 59references = [
 60    "https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/",
 61    "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/",
 62    "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1",
 63]
 64risk_score = 21
 65rule_id = "3e0eeb75-16e8-4f2f-9826-62461ca128b7"
 66severity = "low"
 67tags = [
 68    "Domain: Endpoint",
 69    "OS: Windows",
 70    "Use Case: Threat Detection",
 71    "Tactic: Execution",
 72    "Tactic: Defense Evasion",
 73    "Data Source: Elastic Endgame",
 74    "Data Source: Elastic Defend",
 75    "Data Source: Microsoft Defender for Endpoint",
 76    "Data Source: Sysmon",
 77    "Data Source: SentinelOne",
 78    "Resources: Investigation Guide",
 79]
 80timestamp_override = "event.ingested"
 81type = "eql"
 82
 83query = '''
 84process where host.os.type == "windows" and event.type : "start" and
 85  (
 86    (
 87      (process.executable : "?:\\Windows\\System32\\bash.exe" or ?process.pe.original_file_name == "Bash.exe") and
 88      not process.command_line : ("bash", "bash.exe")
 89    ) or
 90    process.executable : "?:\\Users\\*\\AppData\\Local\\Packages\\*\\rootfs\\usr\\bin\\bash" or
 91    (
 92      process.parent.name : "wsl.exe" and process.parent.command_line : "bash*" and not process.name : "wslhost.exe"
 93    ) or
 94    (
 95      process.name : "wsl.exe" and process.args : (
 96        "curl", "/etc/shadow", "/etc/passwd", "cat", "--system", "root", "-e", "--exec", "bash", "/mnt/c/*"
 97      ) and not process.args : ("wsl-bootstrap", "docker-desktop-data", "*.vscode-server*")
 98    )
 99  ) and
100    not process.parent.executable : ("?:\\Program Files\\Docker\\*.exe", "?:\\Program Files (x86)\\Docker\\*.exe")
101'''
102
103
104[[rule.threat]]
105framework = "MITRE ATT&CK"
106[[rule.threat.technique]]
107id = "T1202"
108name = "Indirect Command Execution"
109reference = "https://attack.mitre.org/techniques/T1202/"
110
111
112[rule.threat.tactic]
113id = "TA0005"
114name = "Defense Evasion"
115reference = "https://attack.mitre.org/tactics/TA0005/"
116[[rule.threat]]
117framework = "MITRE ATT&CK"
118[[rule.threat.technique]]
119id = "T1059"
120name = "Command and Scripting Interpreter"
121reference = "https://attack.mitre.org/techniques/T1059/"
122[[rule.threat.technique.subtechnique]]
123id = "T1059.004"
124name = "Unix Shell"
125reference = "https://attack.mitre.org/techniques/T1059/004/"
126
127
128
129[rule.threat.tactic]
130id = "TA0002"
131name = "Execution"
132reference = "https://attack.mitre.org/tactics/TA0002/"