{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/windows-subsystem-for-linux/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows Subsystem for Linux"],"_cs_severities":["medium"],"_cs_tags":["wsl","windows-subsystem-for-linux","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Windows Subsystem for Linux (WSL) allows users to run Linux binaries natively on Windows. Adversaries may abuse WSL to execute commands stealthily, bypassing Windows security measures. This rule detects suspicious WSL activity by monitoring specific executable paths (e.g., \u003ccode\u003ebash.exe\u003c/code\u003e), command-line arguments, and parent-child process relationships. The detection logic focuses on deviations from typical WSL usage patterns to uncover potential threats. This includes detecting \u003ccode\u003ebash.exe\u003c/code\u003e execution with atypical command-line arguments, WSL processes accessing sensitive files like \u003ccode\u003e/etc/shadow\u003c/code\u003e or \u003ccode\u003e/etc/passwd\u003c/code\u003e, and unexpected parent-child process relationships involving \u003ccode\u003ewsl.exe\u003c/code\u003e. This activity can be used for initial access, defense evasion, and credential access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker enables WSL on a compromised Windows host if it is not already enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ewsl.exe\u003c/code\u003e to start a Linux environment.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ewsl.exe\u003c/code\u003e to execute \u003ccode\u003ebash.exe\u003c/code\u003e with suspicious command-line arguments, such as those used to access sensitive files or download malicious payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages \u003ccode\u003ebash.exe\u003c/code\u003e to download and execute further payloads from the internet using tools like \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to access sensitive files like \u003ccode\u003e/etc/shadow\u003c/code\u003e or \u003ccode\u003e/etc/passwd\u003c/code\u003e within the WSL environment for credential dumping (T1003.008).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the WSL environment as a staging ground to perform lateral movement within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages indirect command execution (T1202) to execute malicious commands on the windows host from the WSL instance.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised host to achieve their final objective, such as data exfiltration or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via WSL can lead to the compromise of Windows systems, credential theft, and further malicious activities. If an attacker successfully leverages WSL, they can bypass traditional Windows security measures, potentially leading to data breaches, system compromise, and lateral movement within the network. WSL abuse can affect any Windows system where WSL is enabled, including developer workstations and servers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to detect suspicious \u003ccode\u003ebash.exe\u003c/code\u003e and \u003ccode\u003ewsl.exe\u003c/code\u003e executions, as described in the rule's logsource.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Suspicious Execution via Windows Subsystem for Linux\u0026quot; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor process command lines for access to sensitive files (e.g., \u003ccode\u003e/etc/shadow\u003c/code\u003e, \u003ccode\u003e/etc/passwd\u003c/code\u003e) within the WSL environment, as referenced in the Attack Chain and rule logic.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect unusual outbound connections from WSL processes, as this can indicate payload downloads or command and control activity.\u003c/li\u003e\n\u003cli\u003eReview WSL configurations on systems to identify any unauthorized changes or installations, as described in the investigation guide.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-wsl-execution/","summary":"This rule detects suspicious execution via the Windows Subsystem for Linux (WSL), which adversaries may leverage to execute Linux commands and bypass traditional Windows security measures.","title":"Suspicious Execution via Windows Subsystem for Linux","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-wsl-execution/"}],"language":"en","title":"CraftedSignal Threat Feed - Windows-Subsystem-for-Linux","version":"https://jsonfeed.org/version/1.1"}