Host Files System Changes via Windows Subsystem for Linux
Detects files creation and modification on the host system from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/01/12"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Detects files creation and modification on the host system from the the Windows Subsystem for Linux. Adversaries may
13enable and use WSL for Linux to avoid detection.
14"""
15from = "now-9m"
16index = [
17 "winlogbeat-*",
18 "logs-endpoint.events.process-*",
19 "logs-endpoint.events.file-*",
20 "logs-windows.sysmon_operational-*",
21]
22language = "eql"
23license = "Elastic License v2"
24name = "Host Files System Changes via Windows Subsystem for Linux"
25references = ["https://github.com/microsoft/WSL"]
26risk_score = 47
27rule_id = "e88d1fe9-b2f4-48d4-bace-a026dc745d4b"
28severity = "medium"
29tags = [
30 "Domain: Endpoint",
31 "OS: Windows",
32 "Use Case: Threat Detection",
33 "Tactic: Defense Evasion",
34 "Data Source: Elastic Endgame",
35 "Data Source: Elastic Defend",
36 "Data Source: Sysmon",
37]
38timestamp_override = "event.ingested"
39type = "eql"
40
41query = '''
42sequence by process.entity_id with maxspan=5m
43 [process where host.os.type == "windows" and event.type == "start" and
44 process.name : "dllhost.exe" and
45 /* Plan9FileSystem CLSID - WSL Host File System Worker */
46 process.command_line : "*{DFB65C4C-B34F-435D-AFE9-A86218684AA8}*"]
47 [file where host.os.type == "windows" and process.name : "dllhost.exe" and not file.path : "?:\\Users\\*\\Downloads\\*"]
48'''
49
50
51[[rule.threat]]
52framework = "MITRE ATT&CK"
53[[rule.threat.technique]]
54id = "T1202"
55name = "Indirect Command Execution"
56reference = "https://attack.mitre.org/techniques/T1202/"
57
58
59[rule.threat.tactic]
60id = "TA0005"
61name = "Defense Evasion"
62reference = "https://attack.mitre.org/tactics/TA0005/"
References
Related rules
- Adding Hidden File Attribute via Attrib
- Alternate Data Stream Creation/Execution at Volume Root Directory
- Attempt to Install Kali Linux via WSL
- Bypass UAC via Event Viewer
- Clearing Windows Console History