Execution via Windows Subsystem for Linux

  1[metadata]
  2creation_date = "2023/01/12"
  3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects attempts to execute a program on the host from the Windows Subsystem for Linux. Adversaries may enable and use
 11WSL for Linux to avoid detection.
 12"""
 13from = "now-9m"
 14index = [
 15    "endgame-*",
 16    "logs-crowdstrike.fdr*",
 17    "logs-endpoint.events.process-*",
 18    "logs-m365_defender.event-*",
 19    "logs-sentinel_one_cloud_funnel.*",
 20    "logs-system.security*",
 21    "logs-windows.forwarded*",
 22    "logs-windows.sysmon_operational-*",
 23    "winlogbeat-*",
 24]
 25language = "eql"
 26license = "Elastic License v2"
 27name = "Execution via Windows Subsystem for Linux"
 28note = """## Triage and analysis
 29
 30> **Disclaimer**:
 31> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 32
 33### Investigating Execution via Windows Subsystem for Linux
 34
 35Windows Subsystem for Linux (WSL) allows users to run Linux binaries natively on Windows, providing a seamless integration of Linux tools. Adversaries may exploit WSL to execute malicious scripts or binaries, bypassing traditional Windows security mechanisms. The detection rule identifies suspicious executions initiated by WSL processes, excluding known safe executables, to flag potential misuse for defense evasion.
 36
 37### Possible investigation steps
 38
 39- Review the process details to identify the executable path and determine if it matches any known malicious or suspicious binaries not listed in the safe executables.
 40- Investigate the parent process, specifically wsl.exe or wslhost.exe, to understand how the execution was initiated and if it aligns with expected user behavior or scheduled tasks.
 41- Check the user account associated with the process execution to verify if the activity is consistent with the user's typical behavior or if the account may have been compromised.
 42- Analyze the event dataset, especially if it is from crowdstrike.fdr, to gather additional context about the process execution and any related activities on the host.
 43- Correlate the alert with other security events or logs from data sources like Microsoft Defender for Endpoint or SentinelOne to identify any related suspicious activities or patterns.
 44- Assess the risk score and severity in the context of the organization's environment to prioritize the investigation and response actions accordingly.
 45
 46### False positive analysis
 47
 48- Legitimate administrative tasks using WSL may trigger alerts. Users can create exceptions for known administrative scripts or binaries that are frequently executed via WSL.
 49- Development environments often use WSL for compiling or testing code. Exclude specific development tools or scripts that are regularly used by developers to prevent unnecessary alerts.
 50- Automated system maintenance scripts running through WSL can be mistaken for malicious activity. Identify and whitelist these scripts to reduce false positives.
 51- Security tools or monitoring solutions that leverage WSL for legitimate purposes should be identified and excluded from detection to avoid interference with their operations.
 52- Frequent use of WSL by specific users or groups for non-malicious purposes can be managed by creating user-based exceptions, allowing their activities to proceed without triggering alerts.
 53
 54### Response and remediation
 55
 56- Isolate the affected system from the network to prevent further malicious activity and lateral movement.
 57- Terminate any suspicious processes identified as being executed via WSL that are not part of the known safe executables list.
 58- Conduct a thorough review of the affected system's WSL configuration and installed Linux distributions to identify unauthorized changes or installations.
 59- Remove any unauthorized or malicious scripts and binaries found within the WSL environment.
 60- Restore the system from a known good backup if malicious activity has compromised system integrity.
 61- Update and patch the system to ensure all software, including WSL, is up to date to mitigate known vulnerabilities.
 62- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected."""
 63references = ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"]
 64risk_score = 47
 65rule_id = "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd"
 66severity = "medium"
 67tags = [
 68    "Domain: Endpoint",
 69    "OS: Windows",
 70    "Use Case: Threat Detection",
 71    "Tactic: Defense Evasion",
 72    "Data Source: Elastic Endgame",
 73    "Data Source: Elastic Defend",
 74    "Data Source: Windows Security Event Logs",
 75    "Data Source: Microsoft Defender for Endpoint",
 76    "Data Source: SentinelOne",
 77    "Data Source: Crowdstrike",
 78    "Resources: Investigation Guide",
 79    "Data Source: Sysmon",
 80]
 81timestamp_override = "event.ingested"
 82type = "eql"
 83
 84query = '''
 85process where host.os.type == "windows" and event.type : "start" and
 86  process.parent.name : ("wsl.exe", "wslhost.exe") and
 87  not process.executable : (
 88        "?:\\Program Files (x86)\\*",
 89        "?:\\Program Files\\*",
 90        "?:\\Program Files*\\WindowsApps\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\wsl*.exe",
 91        "?:\\Windows\\System32\\conhost.exe",
 92        "?:\\Windows\\System32\\lxss\\wslhost.exe",
 93        "?:\\Windows\\System32\\WerFault.exe",
 94        "?:\\Windows\\Sys?????\\wslconfig.exe"
 95  ) and
 96  not (
 97    event.dataset == "crowdstrike.fdr" and
 98      process.executable : (
 99        "\\Device\\HarddiskVolume?\\Program Files (x86)\\*",
100        "\\Device\\HarddiskVolume?\\Program Files\\*",
101        "\\Device\\HarddiskVolume?\\Program Files*\\WindowsApps\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\wsl*.exe",
102        "\\Device\\HarddiskVolume?\\Windows\\System32\\conhost.exe",
103        "\\Device\\HarddiskVolume?\\Windows\\System32\\lxss\\wslhost.exe",
104        "\\Device\\HarddiskVolume?\\Windows\\System32\\WerFault.exe",
105        "\\Device\\HarddiskVolume?\\Windows\\Sys?????\\wslconfig.exe"
106      )
107  )
108'''
109
110
111[[rule.threat]]
112framework = "MITRE ATT&CK"
113[[rule.threat.technique]]
114id = "T1202"
115name = "Indirect Command Execution"
116reference = "https://attack.mitre.org/techniques/T1202/"
117
118
119[rule.threat.tactic]
120id = "TA0005"
121name = "Defense Evasion"
122reference = "https://attack.mitre.org/tactics/TA0005/"