Suspicious Execution via Windows Subsystem for Linux
Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/01/13"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2023/06/22"
6min_stack_comments = "New fields added: required_fields, related_integrations, setup"
7min_stack_version = "8.3.0"
8
9[rule]
10author = ["Elastic"]
11description = """
12Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable
13and use WSL for Linux to avoid detection.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Suspicious Execution via Windows Subsystem for Linux"
20references = [
21 "https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/",
22 "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/",
23 "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1"
24]
25risk_score = 47
26rule_id = "3e0eeb75-16e8-4f2f-9826-62461ca128b7"
27severity = "medium"
28tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
29timestamp_override = "event.ingested"
30type = "eql"
31
32query = '''
33process where host.os.type == "windows" and event.type : "start" and
34 (
35 ((process.executable : "?:\\Windows\\System32\\bash.exe" or process.pe.original_file_name == "Bash.exe") and
36 not process.command_line : ("bash", "bash.exe")) or
37 process.executable : "?:\\Users\\*\\AppData\\Local\\Packages\\*\\rootfs\\usr\\bin\\bash" or
38 (process.parent.name : "wsl.exe" and process.parent.command_line : "bash*" and not process.name : "wslhost.exe") or
39 (process.name : "wsl.exe" and process.args : ("curl", "/etc/shadow", "/etc/passwd", "cat","--system", "root", "-e", "--exec", "bash", "/mnt/c/*"))
40 ) and
41 not process.parent.executable : ("?:\\Program Files\\Docker\\*.exe", "?:\\Program Files (x86)\\Docker\\*.exe")
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1202"
49name = "Indirect Command Execution"
50reference = "https://attack.mitre.org/techniques/T1202/"
51
52[rule.threat.tactic]
53id = "TA0005"
54name = "Defense Evasion"
55reference = "https://attack.mitre.org/tactics/TA0005/"
56
57[[rule.threat]]
58framework = "MITRE ATT&CK"
59[[rule.threat.technique]]
60id = "T1059"
61name = "Command and Scripting Interpreter"
62reference = "https://attack.mitre.org/techniques/T1059/"
63
64 [[rule.threat.technique.subtechnique]]
65 id = "T1059.004"
66 name = "Unix Shell"
67 reference = "https://attack.mitre.org/techniques/T1059/004/"
68
69[rule.threat.tactic]
70id = "TA0002"
71name = "Execution"
72reference = "https://attack.mitre.org/tactics/TA0002/"
References
Related rules
- Execution from Unusual Directory - Command Line
- Adding Hidden File Attribute via Attrib
- Attempt to Install Kali Linux via WSL
- Clearing Windows Console History
- Clearing Windows Event Logs