{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/kalilinux/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Subsystem for Linux","Microsoft Defender XDR","SentinelOne Cloud Funnel","Elastic Defend","Elastic Endpoint Security"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","windows","wsl","kalilinux"],"_cs_type":"advisory","_cs_vendors":["Microsoft","SentinelOne","Crowdstrike","Elastic"],"content_html":"\u003cp\u003eThis detection identifies attempts to install or utilize Kali Linux through the Windows Subsystem for Linux (WSL). Attackers may leverage WSL to deploy Kali Linux as a means of circumventing traditional security measures and carrying out malicious operations within a Windows operating system. This behavior enables them to potentially blend their activities with legitimate WSL usage, making detection more challenging. The detection focuses on identifying specific processes and command-line arguments associated with Kali Linux installations and executions within the WSL environment, aiming to expose malicious actors utilizing this technique for nefarious purposes. This activity started being tracked in early 2023. Defenders should be aware of this technique, as it can be used to bypass security controls and perform malicious activities discreetly.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through methods outside the scope of this specific detection (e.g., phishing, exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker enables WSL on the target Windows system using PowerShell or command-line tools.\u003c/li\u003e\n\u003cli\u003eThe attacker downloads the Kali Linux distribution for WSL from the Microsoft Store or another source.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ewsl.exe\u003c/code\u003e with arguments like \u003ccode\u003e-d\u003c/code\u003e, \u003ccode\u003e--distribution\u003c/code\u003e, \u003ccode\u003e-i\u003c/code\u003e, or \u003ccode\u003e--install\u003c/code\u003e along with \u0026ldquo;kali*\u0026rdquo; to install the Kali Linux distribution.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker directly executes the \u003ccode\u003ekali.exe\u003c/code\u003e binary located within the Kali Linux package path (e.g., \u003ccode\u003eC:\\\\Users\\\\*\\\\AppData\\\\Local\\\\packages\\\\kalilinux*\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eOnce Kali Linux is installed, the attacker uses it to perform various malicious activities, such as penetration testing, vulnerability scanning, or exploiting other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker may leverage tools and utilities within Kali Linux to escalate privileges, move laterally, or exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003eThe final objective is typically to compromise the target system or network, steal valuable information, or disrupt operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using Kali Linux within WSL can lead to significant damage, including data breaches, system compromise, and disruption of services. The use of Kali Linux provides attackers with a wide range of tools and capabilities for reconnaissance, exploitation, and post-exploitation activities. Depending on the attacker\u0026rsquo;s objectives, this can result in financial losses, reputational damage, and legal liabilities. Organizations across various sectors are vulnerable, as this technique can be used against any Windows system with WSL enabled.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Kali Linux Installation via WSL\u0026rdquo; to your SIEM to detect the use of \u003ccode\u003ewsl.exe\u003c/code\u003e with specific Kali Linux installation arguments (rule).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Kali Linux Executable via WSL\u0026rdquo; to your SIEM to detect the direct execution of \u003ccode\u003ekali.exe\u003c/code\u003e from the common install directories (rule).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for the execution of \u003ccode\u003ewsl.exe\u003c/code\u003e and \u003ccode\u003ekali.exe\u003c/code\u003e within the Windows environment (logsource).\u003c/li\u003e\n\u003cli\u003eReview and restrict the usage of WSL within the organization to only authorized users and systems (overview).\u003c/li\u003e\n\u003cli\u003eImplement application control policies to prevent the execution of unauthorized binaries, including \u003ccode\u003ekali.exe\u003c/code\u003e (overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-kali-wsl-install/","summary":"Adversaries may attempt to install or use Kali Linux via Windows Subsystem for Linux (WSL) to avoid detection, potentially enabling them to perform malicious activities within a Windows environment while blending in with legitimate WSL usage.","title":"Detection of Kali Linux Installation or Usage via Windows Subsystem for Linux (WSL)","url":"https://feed.craftedsignal.io/briefs/2024-01-kali-wsl-install/"}],"language":"en","title":"CraftedSignal Threat Feed — Kalilinux","version":"https://jsonfeed.org/version/1.1"}