Suspicious Execution via Windows Subsystem for Linux

  1[metadata]
  2creation_date = "2023/01/13"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2026/05/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to
 11avoid detection.
 12"""
 13from = "now-9m"
 14index = [
 15    "winlogbeat-*",
 16    "logs-endpoint.events.process-*",
 17    "logs-windows.sysmon_operational-*",
 18    "endgame-*",
 19    "logs-m365_defender.event-*",
 20    "logs-sentinel_one_cloud_funnel.*",
 21]
 22language = "eql"
 23license = "Elastic License v2"
 24name = "Suspicious Execution via Windows Subsystem for Linux"
 25note = """## Triage and analysis
 26
 27> **Disclaimer**:
 28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 29
 30### Investigating Suspicious Execution via Windows Subsystem for Linux
 31
 32Windows Subsystem for Linux (WSL) allows users to run Linux binaries natively on Windows, providing a seamless integration of Linux tools. Adversaries may exploit WSL to execute Linux commands stealthily, bypassing traditional Windows security measures. The detection rule identifies unusual WSL activity by monitoring specific executable paths, command-line arguments, and parent-child process relationships, flagging deviations from typical usage patterns to uncover potential threats.
 33
 34### Possible investigation steps
 35
 36- Review the process command line and executable path to determine if the execution of bash.exe or any other Linux binaries is expected or authorized for the user or system in question.
 37- Investigate the parent-child process relationship, especially focusing on whether wsl.exe is the parent process and if it has spawned any unexpected child processes that are not wslhost.exe.
 38- Examine the command-line arguments used with wsl.exe for any suspicious or unauthorized commands, such as accessing sensitive files like /etc/shadow or /etc/passwd, or using network tools like curl.
 39- Check the user's activity history and system logs to identify any patterns of behavior that might indicate misuse or compromise, particularly focusing on any deviations from typical usage patterns.
 40- Correlate the alert with other security events or logs from data sources like Elastic Endgame, Microsoft Defender XDR, or Sysmon to gather additional context and determine if this is part of a broader attack or isolated incident.
 41
 42### False positive analysis
 43
 44- Frequent use of WSL for legitimate development tasks may trigger alerts. Users can create exceptions for specific user accounts or directories commonly used for development to reduce noise.
 45- Automated scripts or tools that utilize WSL for system maintenance or monitoring might be flagged. Identify these scripts and whitelist their specific command-line patterns or parent processes.
 46- Docker-related processes may cause false positives due to their interaction with WSL. Exclude Docker executable paths from the detection rule to prevent unnecessary alerts.
 47- Visual Studio Code extensions that interact with WSL can generate alerts. Exclude known non-threatening extensions by specifying their command-line arguments in the exception list.
 48- Regular system updates or administrative tasks that involve WSL might be misidentified. Document these activities and adjust the detection rule to recognize them as benign.
 49
 50### Response and remediation
 51
 52- Isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
 53- Terminate any suspicious processes identified by the detection rule, such as those involving bash.exe or wsl.exe with unusual command-line arguments.
 54- Conduct a thorough review of the affected system's WSL configuration and installed Linux distributions to identify any unauthorized changes or installations.
 55- Remove any unauthorized or suspicious Linux binaries or scripts found within the WSL environment.
 56- Reset credentials for any accounts that may have been compromised, especially if sensitive files like /etc/shadow or /etc/passwd were accessed.
 57- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 58- Implement enhanced monitoring and logging for WSL activities across the network to detect similar threats in the future, ensuring that alerts are promptly reviewed and acted upon."""
 59references = [
 60    "https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/",
 61    "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/",
 62    "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1",
 63]
 64risk_score = 21
 65rule_id = "3e0eeb75-16e8-4f2f-9826-62461ca128b7"
 66severity = "low"
 67tags = [
 68    "Domain: Endpoint",
 69    "OS: Windows",
 70    "Use Case: Threat Detection",
 71    "Tactic: Execution",
 72    "Tactic: Defense Evasion",
 73    "Data Source: Elastic Endgame",
 74    "Data Source: Elastic Defend",
 75    "Data Source: Microsoft Defender XDR",
 76    "Data Source: Sysmon",
 77    "Data Source: SentinelOne",
 78    "Resources: Investigation Guide",
 79]
 80timestamp_override = "event.ingested"
 81type = "eql"
 82
 83query = '''
 84process where host.os.type == "windows" and event.type : "start" and
 85  (
 86    (
 87      (process.executable : "?:\\Windows\\System32\\bash.exe" or ?process.pe.original_file_name == "Bash.exe") and
 88      not process.command_line : ("bash", "bash.exe")
 89    ) or
 90    process.executable : "?:\\Users\\*\\AppData\\Local\\Packages\\*\\rootfs\\usr\\bin\\bash" or
 91    (
 92      process.parent.name : "wsl.exe" and process.parent.command_line : "bash*" and not process.name : "wslhost.exe"
 93    ) or
 94    (
 95      process.name : "wsl.exe" and process.args : (
 96        "curl", "/etc/shadow", "/etc/passwd", "cat", "--system", "root", "-e", "--exec", "bash", "/mnt/c/*"
 97      ) and not process.args : ("wsl-bootstrap", "docker-desktop-data", "*.vscode-server*")
 98    )
 99  ) and
100    not process.parent.executable : ("?:\\Program Files\\Docker\\*.exe", "?:\\Program Files (x86)\\Docker\\*.exe")
101'''
102
103setup = """## Setup
104
105This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
106
107Setup instructions: https://ela.st/install-elastic-defend
108
109### Additional data sources
110
111This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
112
113- [Microsoft Defender XDR](https://ela.st/m365-defender)
114- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
115- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
116"""
117
118
119[[rule.threat]]
120framework = "MITRE ATT&CK"
121
122[[rule.threat.technique]]
123id = "T1202"
124name = "Indirect Command Execution"
125reference = "https://attack.mitre.org/techniques/T1202/"
126
127[rule.threat.tactic]
128id = "TA0005"
129name = "Defense Evasion"
130reference = "https://attack.mitre.org/tactics/TA0005/"
131
132[[rule.threat]]
133framework = "MITRE ATT&CK"
134
135[[rule.threat.technique]]
136id = "T1059"
137name = "Command and Scripting Interpreter"
138reference = "https://attack.mitre.org/techniques/T1059/"
139
140[[rule.threat.technique.subtechnique]]
141id = "T1059.004"
142name = "Unix Shell"
143reference = "https://attack.mitre.org/techniques/T1059/004/"
144
145[rule.threat.tactic]
146id = "TA0002"
147name = "Execution"
148reference = "https://attack.mitre.org/tactics/TA0002/"
149
150[[rule.threat]]
151framework = "MITRE ATT&CK"
152
153[[rule.threat.technique]]
154id = "T1003"
155name = "OS Credential Dumping"
156reference = "https://attack.mitre.org/techniques/T1003/"
157
158[[rule.threat.technique.subtechnique]]
159id = "T1003.008"
160name = "/etc/passwd and /etc/shadow"
161reference = "https://attack.mitre.org/techniques/T1003/008/"
162
163[rule.threat.tactic]
164id = "TA0006"
165name = "Credential Access"
166reference = "https://attack.mitre.org/tactics/TA0006/"