Host Files System Changes via Windows Subsystem for Linux

 1[metadata]
 2creation_date = "2023/01/12"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5updated_date = "2024/10/15"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Detects files creation and modification on the host system from the the Windows Subsystem for Linux. Adversaries may
13enable and use WSL for Linux to avoid detection.
14"""
15from = "now-9m"
16index = [
17    "winlogbeat-*",
18    "logs-endpoint.events.process-*",
19    "logs-endpoint.events.file-*",
20    "logs-windows.sysmon_operational-*",
21]
22language = "eql"
23license = "Elastic License v2"
24name = "Host Files System Changes via Windows Subsystem for Linux"
25references = ["https://github.com/microsoft/WSL"]
26risk_score = 47
27rule_id = "e88d1fe9-b2f4-48d4-bace-a026dc745d4b"
28severity = "medium"
29tags = [
30    "Domain: Endpoint",
31    "OS: Windows",
32    "Use Case: Threat Detection",
33    "Tactic: Defense Evasion",
34    "Data Source: Elastic Endgame",
35    "Data Source: Elastic Defend",
36    "Data Source: Sysmon",
37]
38timestamp_override = "event.ingested"
39type = "eql"
40
41query = '''
42sequence by process.entity_id with maxspan=5m
43 [process where host.os.type == "windows" and event.type == "start" and
44  process.name : "dllhost.exe" and 
45   /* Plan9FileSystem CLSID - WSL Host File System Worker */
46  process.command_line : "*{DFB65C4C-B34F-435D-AFE9-A86218684AA8}*"]
47 [file where host.os.type == "windows" and process.name : "dllhost.exe" and not file.path : "?:\\Users\\*\\Downloads\\*"]
48'''
49
50
51[[rule.threat]]
52framework = "MITRE ATT&CK"
53[[rule.threat.technique]]
54id = "T1202"
55name = "Indirect Command Execution"
56reference = "https://attack.mitre.org/techniques/T1202/"
57
58
59[rule.threat.tactic]
60id = "TA0005"
61name = "Defense Evasion"
62reference = "https://attack.mitre.org/tactics/TA0005/"