Threat Huntmediumtest

Arbitrary Command Execution Using WSL

Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a Living of the Land binary in order to execute arbitrary Linux or Windows commands.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

oscd.community, Zach Stanford, Nasreddine Bencherchali (Nextron Systems)Created Mon Oct 05Updated Wed Apr 12dec44ca7-61ad-493c-bfd7-8819c5faa09bwindows

Hunting Hypothesis

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_img:
        - Image|endswith: '\wsl.exe'
        - OriginalFileName: 'wsl.exe'
    selection_cli:
        CommandLine|contains:
            - ' -e '
            - ' --exec'
            - ' --system'
            - ' --shell-type '
            - ' /mnt/c' # Path to mounted "C:\" partition (Indication of running Windows binaries via WSL)
            - ' --user root'
            - ' -u root'
            - '--debug-shell'
    filter_main_kill:
        # This filter is to handle a FP that occurs when a process is spawned from WSL and then closed by the user
        # Example would be to open VsCode through it's server extension from WSL
            # GrandparentCommandLine: "C:\Users\XXX\AppData\Local\Programs\Microsoft VS Code\Code.exe" --ms-enable-electron-run-as-node c:\Users\XXX\.vscode\extensions\ms-vscode-remote.remote-wsl-0.72.0\dist\wslDaemon.js
            # ParentCommandLine: C:\WINDOWS\system32\cmd.exe /d /s /c "C:\WINDOWS\System32\wsl.exe -d Ubuntu-20.04 -e kill 1366"
            # CommandLine: C:\WINDOWS\System32\wsl.exe -d Ubuntu-20.04 -e kill 1366
        ParentImage|endswith: '\cmd.exe'
        CommandLine|contains|all:
            - ' -d '
            - ' -e kill '
    condition: all of selection_* and not 1 of filter_main_*

False Positives

Automation and orchestration scripts may use this method to execute scripts etc.

Legitimate use by Windows to kill processes opened via WSL (example VsCode WSL server)

References

Resolving title…

lolbas-project.github.io

Resolving title…

twitter.com

MITRE ATT&CK

Tactics

TA0002 · Execution TA0005 · Defense Evasion

Techniques

T1218 · System Binary Proxy Execution T1202 · Indirect Command Execution

Other

detection.threat-hunting

Related Rules

SimilarDetectionmedium

WSL Child Process Anomaly

Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

dec44ca7-61ad-493c-bfd7-8819c5faa09b

Status

test

Level

medium

Type

Threat Hunt

Created

Mon Oct 05

Modified

Wed Apr 12

Author

oscd.community, Zach Stanford, Nasreddine Bencherchali (Nextron Systems)

Path

rules-threat-hunting/windows/process_creation/proc_creation_win_wsl_arbitrary_command_execution.yml

Raw Tags

attack.executionattack.defense-evasionattack.t1218attack.t1202detection.threat-hunting

View on GitHub