Attempt to Install Kali Linux via WSL
Detects attempts to install or use Kali Linux via Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/01/12"
3integration = ["endpoint", "windows", "system"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects attempts to install or use Kali Linux via Windows Subsystem for Linux. Adversaries may enable and use WSL for
11Linux to avoid detection.
12"""
13from = "now-9m"
14index = [
15 "winlogbeat-*",
16 "logs-endpoint.events.process-*",
17 "logs-windows.*",
18 "endgame-*",
19 "logs-system.security*",
20]
21language = "eql"
22license = "Elastic License v2"
23name = "Attempt to Install Kali Linux via WSL"
24references = ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"]
25risk_score = 73
26rule_id = "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e"
27severity = "high"
28tags = [
29 "Domain: Endpoint",
30 "OS: Windows",
31 "Use Case: Threat Detection",
32 "Tactic: Defense Evasion",
33 "Data Source: Elastic Endgame",
34 "Data Source: Elastic Defend",
35]
36timestamp_override = "event.ingested"
37type = "eql"
38
39query = '''
40process where host.os.type == "windows" and event.type == "start" and
41(
42 (process.name : "wsl.exe" and process.args : ("-d", "--distribution", "-i", "--install") and process.args : "kali*") or
43 process.executable :
44 ("?:\\Users\\*\\AppData\\Local\\packages\\kalilinux*",
45 "?:\\Users\\*\\AppData\\Local\\Microsoft\\WindowsApps\\kali.exe",
46 "?:\\Program Files*\\WindowsApps\\KaliLinux.*\\kali.exe")
47 )
48'''
49
50
51[[rule.threat]]
52framework = "MITRE ATT&CK"
53[[rule.threat.technique]]
54id = "T1202"
55name = "Indirect Command Execution"
56reference = "https://attack.mitre.org/techniques/T1202/"
57
58
59[rule.threat.tactic]
60id = "TA0005"
61name = "Defense Evasion"
62reference = "https://attack.mitre.org/tactics/TA0005/"
References
Related rules
- Adding Hidden File Attribute via Attrib
- Clearing Windows Console History
- Clearing Windows Event Logs
- Code Signing Policy Modification Through Built-in tools
- Code Signing Policy Modification Through Registry