Suspicious Execution via Windows Subsystem for Linux
Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/01/13"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2023/06/22"
6min_stack_comments = "New fields added: required_fields, related_integrations, setup"
7min_stack_version = "8.3.0"
8
9[rule]
10author = ["Elastic"]
11description = """
12Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable
13and use WSL for Linux to avoid detection.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Suspicious Execution via Windows Subsystem for Linux"
20references = [
21 "https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/",
22 "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/",
23 "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1"
24]
25risk_score = 47
26rule_id = "3e0eeb75-16e8-4f2f-9826-62461ca128b7"
27severity = "medium"
28tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
29timestamp_override = "event.ingested"
30type = "eql"
31
32query = '''
33process where host.os.type == "windows" and event.type : "start" and
34 (
35 ((process.executable : "?:\\Windows\\System32\\bash.exe" or process.pe.original_file_name == "Bash.exe") and
36 not process.command_line : ("bash", "bash.exe")) or
37 process.executable : "?:\\Users\\*\\AppData\\Local\\Packages\\*\\rootfs\\usr\\bin\\bash" or
38 (process.parent.name : "wsl.exe" and process.parent.command_line : "bash*" and not process.name : "wslhost.exe") or
39 (process.name : "wsl.exe" and process.args : ("curl", "/etc/shadow", "/etc/passwd", "cat","--system", "root", "-e", "--exec", "bash", "/mnt/c/*"))
40 ) and
41 not process.parent.executable : ("?:\\Program Files\\Docker\\*.exe", "?:\\Program Files (x86)\\Docker\\*.exe")
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1202"
49name = "Indirect Command Execution"
50reference = "https://attack.mitre.org/techniques/T1202/"
51
52[rule.threat.tactic]
53id = "TA0005"
54name = "Defense Evasion"
55reference = "https://attack.mitre.org/tactics/TA0005/"
56
57[[rule.threat]]
58framework = "MITRE ATT&CK"
59[[rule.threat.technique]]
60id = "T1059"
61name = "Command and Scripting Interpreter"
62reference = "https://attack.mitre.org/techniques/T1059/"
63
64 [[rule.threat.technique.subtechnique]]
65 id = "T1059.004"
66 name = "Unix Shell"
67 reference = "https://attack.mitre.org/techniques/T1059/004/"
68
69[rule.threat.tactic]
70id = "TA0002"
71name = "Execution"
72reference = "https://attack.mitre.org/tactics/TA0002/"
References
-
Over the last year, Microsoft has gradually developed and released a new, integrated Linux feature within Windows 10. While this feature is still disabled by default, it recently transitioned from a “beta” feature to a “production” feature in the latest Fall Creators Update (1709). At F-Secure, we love nothing more than testing the latest attack […]
Read More -
.. /Wsl.exe Star Execute Download Windows subsystem for Linux executable Paths: C:\Windows\System32\wsl.exe Resources: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-de...
Read More -
This post is the first of a multi-part blog series that will explore and highlight the different risks that Windows Subsystem for Linux (WSL) poses to an enterprise IT environment. Here we examine a…
Read More
Related rules
- Execution from Unusual Directory - Command Line
- Adding Hidden File Attribute via Attrib
- Attempt to Install Kali Linux via WSL
- Clearing Windows Console History
- Clearing Windows Event Logs