{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/wsl/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Subsystem for Linux","Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","CrowdStrike FDR"],"_cs_severities":["medium"],"_cs_tags":["wsl","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers may leverage the Windows Subsystem for Linux (WSL) to evade detection by operating within a Linux environment on a Windows host. The installation of a new WSL distribution involves specific registry modifications. This rule identifies such modifications, providing an alert when a new WSL distribution is installed. This is important for defenders as it could signal an attacker setting up a persistent and potentially hidden environment for malicious activities. WSL allows attackers to utilize Linux tools and techniques on a Windows system, potentially bypassing traditional Windows-based security measures.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to the Windows system through existing vulnerabilities or compromised credentials.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker elevates their privileges to perform system-level changes, including registry modifications.\u003c/li\u003e\n\u003cli\u003eWSL Installation: The attacker initiates the installation of a WSL distribution. This may involve downloading and executing a WSL installer package.\u003c/li\u003e\n\u003cli\u003eRegistry Modification: During installation, the system modifies the registry to configure and register the new WSL distribution. Specifically, keys under \u003ccode\u003eHKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Lxss\\\\\u003c/code\u003e are created/modified.\u003c/li\u003e\n\u003cli\u003eWSL Environment Setup: The attacker configures the installed WSL distribution, potentially installing additional tools and software needed for their objectives.\u003c/li\u003e\n\u003cli\u003eExecution of Malicious Activities: The attacker executes malicious commands and scripts within the WSL environment, leveraging Linux tools to perform actions such as lateral movement, data exfiltration, or persistence.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: The attacker utilizes WSL to evade detection, as traditional Windows-based security tools may not effectively monitor or analyze activity within the Linux subsystem.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker establishes persistence within the WSL environment, ensuring continued access to the compromised system even after reboots or security updates.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to establish a hidden and persistent environment within the compromised Windows system. This can lead to data theft, system compromise, and further propagation of the attack within the network. The number of victims and affected sectors depends on the scope and objectives of the attacker. The use of WSL for malicious purposes can significantly complicate incident response and remediation efforts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect WSL Installation via Registry Modification\u0026rdquo; to your SIEM to detect new WSL installations by monitoring registry changes.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture the necessary data for the Sigma rule to function correctly (see setup instructions in the rule description).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the WSL installation and identify potential malicious activities.\u003c/li\u003e\n\u003cli\u003eMonitor for execution of suspicious processes within WSL environments, as described in \u0026ldquo;Execution via Windows Subsystem for Linux - db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd\u0026rdquo;.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T16:00:00Z","date_published":"2024-01-03T16:00:00Z","id":"/briefs/2024-01-wsl-registry-modification/","summary":"This rule detects registry modifications indicative of a new Windows Subsystem for Linux (WSL) distribution installation, a technique adversaries may leverage to evade detection by utilizing Linux environments within Windows.","title":"Windows Subsystem for Linux Distribution Installed via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-wsl-registry-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel","CrowdStrike"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","wsl","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","SentinelOne","CrowdStrike"],"content_html":"\u003cp\u003eAttackers may enable the Windows Subsystem for Linux (WSL) to run Linux applications and tools directly on Windows, potentially bypassing security controls and hindering detection. This involves using the Dism.exe utility to enable the \u0026ldquo;Microsoft-Windows-Subsystem-Linux\u0026rdquo; feature. By leveraging WSL, adversaries can execute malicious code, access Windows resources, and perform various malicious activities while blending in with legitimate system processes. The use of WSL provides an environment where traditional Windows-based security solutions may have limited visibility, thus offering a way to evade detection. This activity has been observed as a post-exploitation technique, used after initial access to a compromised system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through methods such as phishing, exploiting vulnerabilities, or using compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes Dism.exe (Deployment Image Servicing and Management tool).\u003c/li\u003e\n\u003cli\u003eDism.exe is invoked with the command-line argument to enable the \u0026ldquo;Microsoft-Windows-Subsystem-Linux\u0026rdquo; feature.\u003c/li\u003e\n\u003cli\u003eThe system processes the Dism.exe command and enables WSL.\u003c/li\u003e\n\u003cli\u003eThe attacker installs a Linux distribution (e.g., Ubuntu, Kali) within the WSL environment.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the WSL environment to execute Linux-based tools and scripts for reconnaissance, lateral movement, or data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the WSL environment to interact with Windows resources or execute Windows commands.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as stealing sensitive data or establishing persistence on the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful enablement of WSL can lead to a compromised Windows system being used as a platform for Linux-based attacks. This can result in data theft, system compromise, and further propagation of malicious activity within the network. The use of WSL can make it difficult to detect malicious activity since it allows attackers to blend Linux-based attacks with normal Windows operations. The lack of visibility into the WSL environment by traditional Windows security tools can lead to prolonged periods of undetected malicious activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for the execution of \u003ccode\u003eDism.exe\u003c/code\u003e with command-line arguments that include \u003ccode\u003eMicrosoft-Windows-Subsystem-Linux\u003c/code\u003e to detect WSL enablement attempts (see Sigma rule \u003ccode\u003eDetect WSL Enablement via Dism\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture detailed command-line information for processes, which is crucial for detecting this activity (Sysmon Event ID 1).\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect suspicious usage of the DISM utility to enable WSL. Tune the rule based on your environment to minimize false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u003ccode\u003eDetect WSL Enablement via Dism\u003c/code\u003e to determine the legitimacy of the activity.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from WSL processes for suspicious outbound traffic.\u003c/li\u003e\n\u003cli\u003eConsider blocking the execution of Dism.exe if WSL is not a sanctioned tool in your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-wsl-enabled-via-dism/","summary":"Adversaries may enable and use Windows Subsystem for Linux (WSL) using the Microsoft Dism utility to evade detection on Windows systems by running Linux applications and tools.","title":"Windows Subsystem for Linux Enabled via Dism Utility","url":"https://feed.craftedsignal.io/briefs/2024-01-wsl-enabled-via-dism/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","Windows Subsystem for Linux"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows","wsl"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne"],"content_html":"\u003cp\u003eThe Windows Subsystem for Linux (WSL) allows users to run a Linux environment directly on Windows. Adversaries may exploit WSL to modify host files stealthily, bypassing traditional security measures and evading detection. This can be achieved by using WSL processes, especially those involving the Plan9FileSystem, to perform file operations on the host system. The detection rule identifies suspicious file operations initiated by \u003ccode\u003edllhost.exe\u003c/code\u003e with the Plan9FileSystem CLSID \u0026ldquo;{DFB65C4C-B34F-435D-AFE9-A86218684AA8}\u0026rdquo; to flag potential defense evasion attempts. This technique can be employed to modify system configurations, plant malicious files, or exfiltrate sensitive data, while blending in with legitimate WSL usage. Elastic has observed this activity and published a detection rule to identify such events.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eWSL is enabled on the target system, if not already enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands within the WSL environment.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003edllhost.exe\u003c/code\u003e is spawned to facilitate file system operations between WSL and the host.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the Plan9FileSystem to interact with the Windows host file system.\u003c/li\u003e\n\u003cli\u003eMalicious files are created or existing files are modified on the host system using \u003ccode\u003edllhost.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThese files may be placed in locations outside of typical user directories to avoid detection.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data theft or further system compromise, using the modified files or configurations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the compromise of sensitive data, modification of critical system files, and the installation of malware on the Windows host. While the exact number of victims and sectors targeted are not specified, this technique allows attackers to bypass traditional security measures, making it difficult to detect malicious activity. The impact could range from data breaches to complete system compromise, depending on the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation and file creation logging to capture the execution of \u003ccode\u003edllhost.exe\u003c/code\u003e and file modifications (Sysmon Event ID 1 and 11).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Host File System Changes via Windows Subsystem for Linux\u0026rdquo; to your SIEM to detect suspicious file operations involving \u003ccode\u003edllhost.exe\u003c/code\u003e and the Plan9FileSystem CLSID.\u003c/li\u003e\n\u003cli\u003eExclude legitimate WSL development directories and processes from the detection rule to reduce false positives.\u003c/li\u003e\n\u003cli\u003eMonitor for processes and file operations involving \u003ccode\u003edllhost.exe\u003c/code\u003e and the Plan9FileSystem, alerting on unusual activity.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate applications using WSL that may trigger alerts to prevent unnecessary notifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-wsl-filesystem-modification/","summary":"This rule detects file creation and modification on the host system from the Windows Subsystem for Linux (WSL), potentially indicating defense evasion by adversaries.","title":"Host File System Changes via Windows Subsystem for Linux","url":"https://feed.craftedsignal.io/briefs/2024-01-wsl-filesystem-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Windows Subsystem for Linux","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","windows","wsl"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis rule detects attempts to execute programs on the host from the Windows Subsystem for Linux (WSL). Adversaries may enable and use WSL for Linux to avoid detection by executing malicious scripts or binaries, bypassing traditional Windows security mechanisms. The rule identifies suspicious executions initiated by WSL processes, excluding known safe executables, to flag potential misuse for defense evasion. This detection focuses on identifying when a process is spawned by \u003ccode\u003ewsl.exe\u003c/code\u003e or \u003ccode\u003ewslhost.exe\u003c/code\u003e and is not within a known good path. The rule is designed to work with data from Elastic Defend, Crowdstrike, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Windows Security Event Logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker enables the Windows Subsystem for Linux (WSL).\u003c/li\u003e\n\u003cli\u003eThe attacker transfers or creates malicious scripts or binaries within the WSL environment.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the malicious script or binary using a Linux shell within WSL, such as bash.\u003c/li\u003e\n\u003cli\u003eThe WSL environment interacts with the Windows host to execute commands or access resources.\u003c/li\u003e\n\u003cli\u003eThe executed commands perform malicious actions, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages WSL\u0026rsquo;s integration with Windows to evade traditional Windows-based security measures.\u003c/li\u003e\n\u003cli\u003eThe final objective is to compromise the system or network while remaining undetected.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows adversaries to execute malicious code while potentially evading traditional Windows-based security measures. This can lead to system compromise, data theft, or further propagation of malware within the network. The rule\u0026rsquo;s \u003ccode\u003emedium\u003c/code\u003e severity reflects the potential for significant impact, necessitating prompt investigation and response.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eExecution via Windows Subsystem for Linux\u003c/code\u003e to your SIEM to detect potential malicious activity originating from WSL.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) or Windows process creation logs to provide the necessary data for the Sigma rule to function.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the executed process, parent process (\u003ccode\u003ewsl.exe\u003c/code\u003e or \u003ccode\u003ewslhost.exe\u003c/code\u003e), and associated user account.\u003c/li\u003e\n\u003cli\u003eCorrelate alerts with other security events from Microsoft Defender XDR, SentinelOne, or Crowdstrike to identify related suspicious activities or patterns.\u003c/li\u003e\n\u003cli\u003eImplement exceptions for known administrative scripts or development tools that are frequently executed via WSL to reduce false positives, as outlined in the rule\u0026rsquo;s analysis.\u003c/li\u003e\n\u003cli\u003eMonitor the WSL configuration and installed Linux distributions on affected systems to identify unauthorized changes or installations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-wsl-child-process-execution/","summary":"This detection identifies attempts to execute programs from the Windows Subsystem for Linux (WSL) to evade detection by flagging suspicious executions initiated by WSL processes and excluding known safe executables.","title":"Execution via Windows Subsystem for Linux","url":"https://feed.craftedsignal.io/briefs/2024-01-wsl-child-process-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Subsystem for Linux","Microsoft Defender XDR","SentinelOne Cloud Funnel","Elastic Defend","Elastic Endpoint Security"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","windows","wsl","kalilinux"],"_cs_type":"advisory","_cs_vendors":["Microsoft","SentinelOne","Crowdstrike","Elastic"],"content_html":"\u003cp\u003eThis detection identifies attempts to install or utilize Kali Linux through the Windows Subsystem for Linux (WSL). Attackers may leverage WSL to deploy Kali Linux as a means of circumventing traditional security measures and carrying out malicious operations within a Windows operating system. This behavior enables them to potentially blend their activities with legitimate WSL usage, making detection more challenging. The detection focuses on identifying specific processes and command-line arguments associated with Kali Linux installations and executions within the WSL environment, aiming to expose malicious actors utilizing this technique for nefarious purposes. This activity started being tracked in early 2023. Defenders should be aware of this technique, as it can be used to bypass security controls and perform malicious activities discreetly.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through methods outside the scope of this specific detection (e.g., phishing, exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker enables WSL on the target Windows system using PowerShell or command-line tools.\u003c/li\u003e\n\u003cli\u003eThe attacker downloads the Kali Linux distribution for WSL from the Microsoft Store or another source.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ewsl.exe\u003c/code\u003e with arguments like \u003ccode\u003e-d\u003c/code\u003e, \u003ccode\u003e--distribution\u003c/code\u003e, \u003ccode\u003e-i\u003c/code\u003e, or \u003ccode\u003e--install\u003c/code\u003e along with \u0026ldquo;kali*\u0026rdquo; to install the Kali Linux distribution.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker directly executes the \u003ccode\u003ekali.exe\u003c/code\u003e binary located within the Kali Linux package path (e.g., \u003ccode\u003eC:\\\\Users\\\\*\\\\AppData\\\\Local\\\\packages\\\\kalilinux*\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eOnce Kali Linux is installed, the attacker uses it to perform various malicious activities, such as penetration testing, vulnerability scanning, or exploiting other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker may leverage tools and utilities within Kali Linux to escalate privileges, move laterally, or exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003eThe final objective is typically to compromise the target system or network, steal valuable information, or disrupt operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using Kali Linux within WSL can lead to significant damage, including data breaches, system compromise, and disruption of services. The use of Kali Linux provides attackers with a wide range of tools and capabilities for reconnaissance, exploitation, and post-exploitation activities. Depending on the attacker\u0026rsquo;s objectives, this can result in financial losses, reputational damage, and legal liabilities. Organizations across various sectors are vulnerable, as this technique can be used against any Windows system with WSL enabled.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Kali Linux Installation via WSL\u0026rdquo; to your SIEM to detect the use of \u003ccode\u003ewsl.exe\u003c/code\u003e with specific Kali Linux installation arguments (rule).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Kali Linux Executable via WSL\u0026rdquo; to your SIEM to detect the direct execution of \u003ccode\u003ekali.exe\u003c/code\u003e from the common install directories (rule).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for the execution of \u003ccode\u003ewsl.exe\u003c/code\u003e and \u003ccode\u003ekali.exe\u003c/code\u003e within the Windows environment (logsource).\u003c/li\u003e\n\u003cli\u003eReview and restrict the usage of WSL within the organization to only authorized users and systems (overview).\u003c/li\u003e\n\u003cli\u003eImplement application control policies to prevent the execution of unauthorized binaries, including \u003ccode\u003ekali.exe\u003c/code\u003e (overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-kali-wsl-install/","summary":"Adversaries may attempt to install or use Kali Linux via Windows Subsystem for Linux (WSL) to avoid detection, potentially enabling them to perform malicious activities within a Windows environment while blending in with legitimate WSL usage.","title":"Detection of Kali Linux Installation or Usage via Windows Subsystem for Linux (WSL)","url":"https://feed.craftedsignal.io/briefs/2024-01-kali-wsl-install/"}],"language":"en","title":"CraftedSignal Threat Feed — Wsl","version":"https://jsonfeed.org/version/1.1"}