Techniques
Sample rules
Installation of WSL Kali-Linux
- source: sigma
- technicques:
- t1059
Description
Detects installation of Kali Linux distribution through Windows Subsystem for Linux (WSL). Attackers may use Kali Linux WSL to leverage its penetration testing tools and capabilities for malicious purposes.
Detection logic
condition: all of selection_wsl_*
selection_wsl_img:
- Image|endswith: \wsl.exe
- OriginalFileName: wsl
selection_wsl_install:
CommandLine|contains:
- ' --install '
- ' -i '
selection_wsl_kali:
CommandLine|contains: kali
WSL Kali-Linux Usage
- source: sigma
- technicques:
- t1202
Description
Detects the use of Kali Linux through Windows Subsystem for Linux
Detection logic
condition: 1 of selection_img_* or all of selection_kali_* and not 1 of filter_main_*
filter_main_install_uninstall:
CommandLine|contains:
- ' -i '
- ' --install '
- ' --unregister '
selection_img_appdata:
- Image|contains|all:
- :\Users\
- \AppData\Local\packages\KaliLinux
- Image|contains|all:
- :\Users\
- \AppData\Local\Microsoft\WindowsApps\kali.exe
selection_img_windowsapps:
Image|contains: :\Program Files\WindowsApps\KaliLinux.
Image|endswith: \kali.exe
selection_kali_wsl_child:
- Image|contains:
- \kali.exe
- \KaliLinux
- CommandLine|contains:
- Kali.exe
- Kali-linux
- kalilinux
selection_kali_wsl_parent:
ParentImage|endswith:
- \wsl.exe
- \wslhost.exe