Techniques
Sample rules
Arbitrary Command Execution Using WSL
- source: sigma
- technicques:
- t1202
- t1218
Description
Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a LOLBIN to execute arbitrary Linux or Windows commands
Detection logic
condition: all of selection_* and not 1 of filter_main_*
filter_main_kill:
CommandLine|contains|all:
- ' -d '
- ' -e kill '
ParentImage|endswith: \cmd.exe
selection_cli:
CommandLine|contains:
- ' -e '
- ' --exec'
- ' --system'
- ' --shell-type '
- ' /mnt/c'
- ' --user root'
- ' -u root'
- --debug-shell
selection_img:
- Image|endswith: \wsl.exe
- OriginalFileName: wsl.exe