Suspicious Execution via Windows Subsystem for Linux
Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/01/13"
3integration = ["endpoint", "windows", "system"]
4maturity = "production"
5updated_date = "2024/03/28"
6min_stack_comments = "New fields added: required_fields, related_integrations, setup"
7min_stack_version = "8.3.0"
8
9[rule]
10author = ["Elastic"]
11description = """
12Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable
13and use WSL for Linux to avoid detection.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Suspicious Execution via Windows Subsystem for Linux"
20references = [
21 "https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/",
22 "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/",
23 "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1"
24]
25risk_score = 21
26rule_id = "3e0eeb75-16e8-4f2f-9826-62461ca128b7"
27severity = "low"
28tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
29timestamp_override = "event.ingested"
30type = "eql"
31
32query = '''
33process where host.os.type == "windows" and event.type : "start" and
34 (
35 (
36 (process.executable : "?:\\Windows\\System32\\bash.exe" or ?process.pe.original_file_name == "Bash.exe") and
37 not process.command_line : ("bash", "bash.exe")
38 ) or
39 process.executable : "?:\\Users\\*\\AppData\\Local\\Packages\\*\\rootfs\\usr\\bin\\bash" or
40 (
41 process.parent.name : "wsl.exe" and ?process.parent.command_line : "bash*" and not process.name : "wslhost.exe"
42 ) or
43 (
44 process.name : "wsl.exe" and process.args : (
45 "curl", "/etc/shadow", "/etc/passwd", "cat", "--system", "root", "-e", "--exec", "bash", "/mnt/c/*"
46 ) and not process.args : ("wsl-bootstrap", "docker-desktop-data", "*.vscode-server*")
47 )
48 ) and
49 not process.parent.executable : ("?:\\Program Files\\Docker\\*.exe", "?:\\Program Files (x86)\\Docker\\*.exe")
50'''
51
52
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1202"
57name = "Indirect Command Execution"
58reference = "https://attack.mitre.org/techniques/T1202/"
59
60[rule.threat.tactic]
61id = "TA0005"
62name = "Defense Evasion"
63reference = "https://attack.mitre.org/tactics/TA0005/"
64
65[[rule.threat]]
66framework = "MITRE ATT&CK"
67[[rule.threat.technique]]
68id = "T1059"
69name = "Command and Scripting Interpreter"
70reference = "https://attack.mitre.org/techniques/T1059/"
71
72 [[rule.threat.technique.subtechnique]]
73 id = "T1059.004"
74 name = "Unix Shell"
75 reference = "https://attack.mitre.org/techniques/T1059/004/"
76
77[rule.threat.tactic]
78id = "TA0002"
79name = "Execution"
80reference = "https://attack.mitre.org/tactics/TA0002/"
References
Related rules
- Clearing Windows Console History
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process
- Control Panel Process with Unusual Arguments
- Disabling Windows Defender Security Settings via PowerShell