WSL Child Process Anomaly

 1title: WSL Child Process Anomaly
 2id: 2267fe65-0681-42ad-9a6d-46553d3f3480
 3related:
 4    - id: dec44ca7-61ad-493c-bfd7-8819c5faa09b # LOLBIN Rule
 5      type: derived
 6status: test
 7description: Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL
 8references:
 9    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/
10    - https://twitter.com/nas_bench/status/1535431474429808642
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023-01-23
13modified: 2023-08-15
14tags:
15    - attack.execution
16    - attack.defense-evasion
17    - attack.t1218
18    - attack.t1202
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_parent:
24        ParentImage|endswith:
25            - '\wsl.exe'
26            - '\wslhost.exe'
27    selection_children_images:
28        Image|endswith:
29            # Add more suspicious/uncommon "lolbin" processes
30            - '\calc.exe'
31            - '\cmd.exe'
32            - '\cscript.exe'
33            - '\mshta.exe'
34            - '\powershell.exe'
35            - '\pwsh.exe'
36            - '\regsvr32.exe'
37            - '\rundll32.exe'
38            - '\wscript.exe'
39    selection_children_paths:
40        Image|contains:
41            - '\AppData\Local\Temp\'
42            - 'C:\Users\Public\'
43            - 'C:\Windows\Temp\'
44            - 'C:\Temp\'
45            - '\Downloads\'
46            - '\Desktop\'
47    condition: selection_parent and 1 of selection_children_*
48falsepositives:
49    - Unknown
50level: medium