Suspicious Execution via Windows Subsystem for Linux

Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2023/01/13"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to
 13avoid detection.
 14"""
 15from = "now-9m"
 16index = [
 17    "winlogbeat-*",
 18    "logs-endpoint.events.process-*",
 19    "logs-windows.sysmon_operational-*",
 20    "endgame-*",
 21    "logs-m365_defender.event-*",
 22    "logs-sentinel_one_cloud_funnel.*",
 23]
 24language = "eql"
 25license = "Elastic License v2"
 26name = "Suspicious Execution via Windows Subsystem for Linux"
 27references = [
 28    "https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/",
 29    "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/",
 30    "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1",
 31]
 32risk_score = 21
 33rule_id = "3e0eeb75-16e8-4f2f-9826-62461ca128b7"
 34severity = "low"
 35tags = [
 36    "Domain: Endpoint",
 37    "OS: Windows",
 38    "Use Case: Threat Detection",
 39    "Tactic: Execution",
 40    "Tactic: Defense Evasion",
 41    "Data Source: Elastic Endgame",
 42    "Data Source: Elastic Defend",
 43    "Data Source: Microsoft Defender for Endpoint",
 44    "Data Source: Sysmon",
 45    "Data Source: SentinelOne",
 46    "Resources: Investigation Guide",
 47]
 48timestamp_override = "event.ingested"
 49type = "eql"
 50
 51query = '''
 52process where host.os.type == "windows" and event.type : "start" and
 53  (
 54    (
 55      (process.executable : "?:\\Windows\\System32\\bash.exe" or ?process.pe.original_file_name == "Bash.exe") and
 56      not process.command_line : ("bash", "bash.exe")
 57    ) or
 58    process.executable : "?:\\Users\\*\\AppData\\Local\\Packages\\*\\rootfs\\usr\\bin\\bash" or
 59    (
 60      process.parent.name : "wsl.exe" and process.parent.command_line : "bash*" and not process.name : "wslhost.exe"
 61    ) or
 62    (
 63      process.name : "wsl.exe" and process.args : (
 64        "curl", "/etc/shadow", "/etc/passwd", "cat", "--system", "root", "-e", "--exec", "bash", "/mnt/c/*"
 65      ) and not process.args : ("wsl-bootstrap", "docker-desktop-data", "*.vscode-server*")
 66    )
 67  ) and
 68    not process.parent.executable : ("?:\\Program Files\\Docker\\*.exe", "?:\\Program Files (x86)\\Docker\\*.exe")
 69'''
 70note = """## Triage and analysis
 71
 72> **Disclaimer**:
 73> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 74
 75### Investigating Suspicious Execution via Windows Subsystem for Linux
 76
 77Windows Subsystem for Linux (WSL) allows users to run Linux binaries natively on Windows, providing a seamless integration of Linux tools. Adversaries may exploit WSL to execute Linux commands stealthily, bypassing traditional Windows security measures. The detection rule identifies unusual WSL activity by monitoring specific executable paths, command-line arguments, and parent-child process relationships, flagging deviations from typical usage patterns to uncover potential threats.
 78
 79### Possible investigation steps
 80
 81- Review the process command line and executable path to determine if the execution of bash.exe or any other Linux binaries is expected or authorized for the user or system in question.
 82- Investigate the parent-child process relationship, especially focusing on whether wsl.exe is the parent process and if it has spawned any unexpected child processes that are not wslhost.exe.
 83- Examine the command-line arguments used with wsl.exe for any suspicious or unauthorized commands, such as accessing sensitive files like /etc/shadow or /etc/passwd, or using network tools like curl.
 84- Check the user's activity history and system logs to identify any patterns of behavior that might indicate misuse or compromise, particularly focusing on any deviations from typical usage patterns.
 85- Correlate the alert with other security events or logs from data sources like Elastic Endgame, Microsoft Defender for Endpoint, or Sysmon to gather additional context and determine if this is part of a broader attack or isolated incident.
 86
 87### False positive analysis
 88
 89- Frequent use of WSL for legitimate development tasks may trigger alerts. Users can create exceptions for specific user accounts or directories commonly used for development to reduce noise.
 90- Automated scripts or tools that utilize WSL for system maintenance or monitoring might be flagged. Identify these scripts and whitelist their specific command-line patterns or parent processes.
 91- Docker-related processes may cause false positives due to their interaction with WSL. Exclude Docker executable paths from the detection rule to prevent unnecessary alerts.
 92- Visual Studio Code extensions that interact with WSL can generate alerts. Exclude known non-threatening extensions by specifying their command-line arguments in the exception list.
 93- Regular system updates or administrative tasks that involve WSL might be misidentified. Document these activities and adjust the detection rule to recognize them as benign.
 94
 95### Response and remediation
 96
 97- Isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
 98- Terminate any suspicious processes identified by the detection rule, such as those involving bash.exe or wsl.exe with unusual command-line arguments.
 99- Conduct a thorough review of the affected system's WSL configuration and installed Linux distributions to identify any unauthorized changes or installations.
100- Remove any unauthorized or suspicious Linux binaries or scripts found within the WSL environment.
101- Reset credentials for any accounts that may have been compromised, especially if sensitive files like /etc/shadow or /etc/passwd were accessed.
102- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
103- Implement enhanced monitoring and logging for WSL activities across the network to detect similar threats in the future, ensuring that alerts are promptly reviewed and acted upon."""
104
105
106[[rule.threat]]
107framework = "MITRE ATT&CK"
108[[rule.threat.technique]]
109id = "T1202"
110name = "Indirect Command Execution"
111reference = "https://attack.mitre.org/techniques/T1202/"
112
113
114[rule.threat.tactic]
115id = "TA0005"
116name = "Defense Evasion"
117reference = "https://attack.mitre.org/tactics/TA0005/"
118[[rule.threat]]
119framework = "MITRE ATT&CK"
120[[rule.threat.technique]]
121id = "T1059"
122name = "Command and Scripting Interpreter"
123reference = "https://attack.mitre.org/techniques/T1059/"
124[[rule.threat.technique.subtechnique]]
125id = "T1059.004"
126name = "Unix Shell"
127reference = "https://attack.mitre.org/techniques/T1059/004/"
128
129
130
131[rule.threat.tactic]
132id = "TA0002"
133name = "Execution"
134reference = "https://attack.mitre.org/tactics/TA0002/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Suspicious Execution via Windows Subsystem for Linux

Windows Subsystem for Linux (WSL) allows users to run Linux binaries natively on Windows, providing a seamless integration of Linux tools. Adversaries may exploit WSL to execute Linux commands stealthily, bypassing traditional Windows security measures. The detection rule identifies unusual WSL activity by monitoring specific executable paths, command-line arguments, and parent-child process relationships, flagging deviations from typical usage patterns to uncover potential threats.

Possible investigation steps

  • Review the process command line and executable path to determine if the execution of bash.exe or any other Linux binaries is expected or authorized for the user or system in question.
  • Investigate the parent-child process relationship, especially focusing on whether wsl.exe is the parent process and if it has spawned any unexpected child processes that are not wslhost.exe.
  • Examine the command-line arguments used with wsl.exe for any suspicious or unauthorized commands, such as accessing sensitive files like /etc/shadow or /etc/passwd, or using network tools like curl.
  • Check the user's activity history and system logs to identify any patterns of behavior that might indicate misuse or compromise, particularly focusing on any deviations from typical usage patterns.
  • Correlate the alert with other security events or logs from data sources like Elastic Endgame, Microsoft Defender for Endpoint, or Sysmon to gather additional context and determine if this is part of a broader attack or isolated incident.

False positive analysis

  • Frequent use of WSL for legitimate development tasks may trigger alerts. Users can create exceptions for specific user accounts or directories commonly used for development to reduce noise.
  • Automated scripts or tools that utilize WSL for system maintenance or monitoring might be flagged. Identify these scripts and whitelist their specific command-line patterns or parent processes.
  • Docker-related processes may cause false positives due to their interaction with WSL. Exclude Docker executable paths from the detection rule to prevent unnecessary alerts.
  • Visual Studio Code extensions that interact with WSL can generate alerts. Exclude known non-threatening extensions by specifying their command-line arguments in the exception list.
  • Regular system updates or administrative tasks that involve WSL might be misidentified. Document these activities and adjust the detection rule to recognize them as benign.

Response and remediation

  • Isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
  • Terminate any suspicious processes identified by the detection rule, such as those involving bash.exe or wsl.exe with unusual command-line arguments.
  • Conduct a thorough review of the affected system's WSL configuration and installed Linux distributions to identify any unauthorized changes or installations.
  • Remove any unauthorized or suspicious Linux binaries or scripts found within the WSL environment.
  • Reset credentials for any accounts that may have been compromised, especially if sensitive files like /etc/shadow or /etc/passwd were accessed.
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
  • Implement enhanced monitoring and logging for WSL activities across the network to detect similar threats in the future, ensuring that alerts are promptly reviewed and acted upon.

References

Related rules

to-top