Detectionmediumtest
WSL Child Process Anomaly
Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Mon Jan 23Updated Tue Aug 152267fe65-0681-42ad-9a6d-46553d3f3480windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic3 selectors
detection:
selection_parent:
ParentImage|endswith:
- '\wsl.exe'
- '\wslhost.exe'
selection_children_images:
Image|endswith:
# Add more suspicious/uncommon "lolbin" processes
- '\calc.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
selection_children_paths:
Image|contains:
- '\AppData\Local\Temp\'
- 'C:\Users\Public\'
- 'C:\Windows\Temp\'
- 'C:\Temp\'
- '\Downloads\'
- '\Desktop\'
condition: selection_parent and 1 of selection_children_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Rule Metadata
Rule ID
2267fe65-0681-42ad-9a6d-46553d3f3480
Status
test
Level
medium
Type
Detection
Created
Mon Jan 23
Modified
Tue Aug 15
Path
rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml
Raw Tags
attack.executionattack.defense-evasionattack.t1218attack.t1202