Suspicious Execution via Windows Subsystem for Linux
This rule detects suspicious execution via the Windows Subsystem for Linux (WSL), which adversaries may leverage to execute Linux commands and bypass traditional Windows security measures.
The Windows Subsystem for Linux (WSL) allows users to run Linux binaries natively on Windows. Adversaries may abuse WSL to execute commands stealthily, bypassing Windows security measures. This rule detects suspicious WSL activity by monitoring specific executable paths (e.g., bash.exe), command-line arguments, and parent-child process relationships. The detection logic focuses on deviations from typical WSL usage patterns to uncover potential threats. This includes detecting bash.exe execution with atypical command-line arguments, WSL processes accessing sensitive files like /etc/shadow or /etc/passwd, and unexpected parent-child process relationships involving wsl.exe. This activity can be used for initial access, defense evasion, and credential access.
Attack Chain
- The attacker enables WSL on a compromised Windows host if it is not already enabled.
- The attacker executes
wsl.exeto start a Linux environment. - The attacker uses
wsl.exeto executebash.exewith suspicious command-line arguments, such as those used to access sensitive files or download malicious payloads. - The attacker leverages
bash.exeto download and execute further payloads from the internet using tools likecurlorwget. - The attacker attempts to access sensitive files like
/etc/shadowor/etc/passwdwithin the WSL environment for credential dumping (T1003.008). - The attacker uses the WSL environment as a staging ground to perform lateral movement within the network.
- The attacker leverages indirect command execution (T1202) to execute malicious commands on the windows host from the WSL instance.
- The attacker uses the compromised host to achieve their final objective, such as data exfiltration or deploying ransomware.
Impact
Successful exploitation via WSL can lead to the compromise of Windows systems, credential theft, and further malicious activities. If an attacker successfully leverages WSL, they can bypass traditional Windows security measures, potentially leading to data breaches, system compromise, and lateral movement within the network. WSL abuse can affect any Windows system where WSL is enabled, including developer workstations and servers.
Recommendation
- Enable Sysmon process creation logging to detect suspicious
bash.exeandwsl.exeexecutions, as described in the rule's logsource. - Deploy the Sigma rule "Suspicious Execution via Windows Subsystem for Linux" to your SIEM and tune for your environment.
- Monitor process command lines for access to sensitive files (e.g.,
/etc/shadow,/etc/passwd) within the WSL environment, as referenced in the Attack Chain and rule logic. - Implement network monitoring to detect unusual outbound connections from WSL processes, as this can indicate payload downloads or command and control activity.
- Review WSL configurations on systems to identify any unauthorized changes or installations, as described in the investigation guide.
Detection coverage 2
Suspicious WSL Bash Execution
highDetects suspicious execution of bash within the Windows Subsystem for Linux.
WSL Executing Suspicious Network Commands
mediumDetects WSL executing curl, wget or other network commands
Detection queries are available on the platform. Get full rules →