Attempt to Install Kali Linux via WSL

 1[metadata]
 2creation_date = "2023/01/12"
 3integration = ["endpoint", "windows", "system"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Detects attempts to install or use Kali Linux via Windows Subsystem for Linux. Adversaries may enable and use WSL for
11Linux to avoid detection.
12"""
13from = "now-9m"
14index = [
15    "winlogbeat-*",
16    "logs-endpoint.events.process-*",
17    "logs-windows.*",
18    "endgame-*",
19    "logs-system.security*",
20]
21language = "eql"
22license = "Elastic License v2"
23name = "Attempt to Install Kali Linux via WSL"
24references = ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"]
25risk_score = 73
26rule_id = "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e"
27severity = "high"
28tags = [
29    "Domain: Endpoint",
30    "OS: Windows",
31    "Use Case: Threat Detection",
32    "Tactic: Defense Evasion",
33    "Data Source: Elastic Endgame",
34    "Data Source: Elastic Defend",
35]
36timestamp_override = "event.ingested"
37type = "eql"
38
39query = '''
40process where host.os.type == "windows" and event.type == "start" and
41(
42 (process.name : "wsl.exe" and process.args : ("-d", "--distribution", "-i", "--install") and process.args : "kali*") or 
43 process.executable : 
44        ("?:\\Users\\*\\AppData\\Local\\packages\\kalilinux*", 
45         "?:\\Users\\*\\AppData\\Local\\Microsoft\\WindowsApps\\kali.exe",
46         "?:\\Program Files*\\WindowsApps\\KaliLinux.*\\kali.exe")
47 )
48'''
49
50
51[[rule.threat]]
52framework = "MITRE ATT&CK"
53[[rule.threat.technique]]
54id = "T1202"
55name = "Indirect Command Execution"
56reference = "https://attack.mitre.org/techniques/T1202/"
57
58
59[rule.threat.tactic]
60id = "TA0005"
61name = "Defense Evasion"
62reference = "https://attack.mitre.org/tactics/TA0005/"