Windows Binary Executed From WSL
Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships
Sigma rule (View on GitHub)
1title: Windows Binary Executed From WSL
2id: ed825c86-c009-4014-b413-b76003e33d35
3status: test
4description: Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships
5references:
6 - Internal Research
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/02/14
9tags:
10 - attack.execution
11 - attack.defense_evasion
12 - attack.t1202
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 Image|re: '[a-zA-Z]:\\'
19 CurrentDirectory|contains: '\\\\wsl.localhost' # Note: programs not supporting UNC paths (example: cmd.exe). Will default to another location
20 condition: selection
21falsepositives:
22 - Unknown
23level: medium
References
Related rules
- Potentially Suspicious Child Process Of VsCode
- Suspicious Child Process Of BgInfo.EXE
- Potential Binary Impersonating Sysinternals Tools
- Suspicious Cmdl32 Execution
- Renamed CURL.EXE Execution