Windows Binary Executed From WSL
Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships
Sigma rule (View on GitHub)
1title: Windows Binary Executed From WSL
2id: ed825c86-c009-4014-b413-b76003e33d35
3status: test
4description: |
5 Detects the execution of Windows binaries from within a WSL instance.
6 This could be used to masquerade parent-child relationships
7references:
8 - Internal Research
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2023-02-14
11tags:
12 - attack.execution
13 - attack.defense-evasion
14 - attack.t1202
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 Image|re: '[a-zA-Z]:\\'
21 CurrentDirectory|contains: '\\\\wsl.localhost' # Note: programs not supporting UNC paths (example: cmd.exe). Will default to another location
22 condition: selection
23falsepositives:
24 - Unknown
25level: medium
References
Related rules
- Potential Arbitrary Command Execution Via FTP.EXE
- Potential Arbitrary File Download Via Cmdl32.EXE
- Potential Binary Impersonating Sysinternals Tools
- Renamed FTP.EXE Execution
- Renamed NirCmd.EXE Execution