Host Files System Changes via Windows Subsystem for Linux

 1[metadata]
 2creation_date = "2023/01/12"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Detects files creation and modification on the host system from the the Windows Subsystem for Linux. Adversaries may
11enable and use WSL for Linux to avoid detection.
12"""
13from = "now-9m"
14index = [
15    "winlogbeat-*",
16    "logs-endpoint.events.process-*",
17    "logs-endpoint.events.file-*",
18    "logs-windows.sysmon_operational-*",
19]
20language = "eql"
21license = "Elastic License v2"
22name = "Host Files System Changes via Windows Subsystem for Linux"
23references = ["https://github.com/microsoft/WSL"]
24risk_score = 47
25rule_id = "e88d1fe9-b2f4-48d4-bace-a026dc745d4b"
26severity = "medium"
27tags = [
28    "Domain: Endpoint",
29    "OS: Windows",
30    "Use Case: Threat Detection",
31    "Tactic: Defense Evasion",
32    "Data Source: Elastic Endgame",
33    "Data Source: Elastic Defend",
34    "Data Source: Sysmon",
35]
36timestamp_override = "event.ingested"
37type = "eql"
38
39query = '''
40sequence by process.entity_id with maxspan=5m
41 [process where host.os.type == "windows" and event.type == "start" and
42  process.name : "dllhost.exe" and 
43   /* Plan9FileSystem CLSID - WSL Host File System Worker */
44  process.command_line : "*{DFB65C4C-B34F-435D-AFE9-A86218684AA8}*"]
45 [file where host.os.type == "windows" and process.name : "dllhost.exe" and not file.path : "?:\\Users\\*\\Downloads\\*"]
46'''
47
48
49[[rule.threat]]
50framework = "MITRE ATT&CK"
51[[rule.threat.technique]]
52id = "T1202"
53name = "Indirect Command Execution"
54reference = "https://attack.mitre.org/techniques/T1202/"
55
56
57[rule.threat.tactic]
58id = "TA0005"
59name = "Defense Evasion"
60reference = "https://attack.mitre.org/tactics/TA0005/"