Suspicious creation of files in /etc for persistence in WSL
Suspicious Creation Of Files In Etc For Persistance In Wsl
Query
let LinuxPerSuspicousCommands = dynamic(["/etc/ld.so.conf.d/", "/etc/cron.d/", "/etc/sudoers.d/", "/etc/rc.d/init.d/", "/etc/systemd/system/","/usr/lib/systemd/system/"]);
let TimeFrame = 30d; // Choose the best timeframe for your investigation
DeviceInfo
| where RegistryDeviceTag has "WSL2"
| project DeviceId
| join ( DeviceFileEvents
| where Timestamp > ago(TimeFrame)
| where ActionType == "FileCreated"
| where FolderPath has_any (LinuxPerSuspicousCommands)
| project TimeGenerated, WSLDeviceID = DeviceId, DeviceName, FileName, FolderPath
)
on $left.DeviceId == $right.WSLDeviceID
| sort by TimeGenerated descAbout this query
Suspicious creation of files in /etc for persistence in WSL
Description
The following query will assist in hunting for suspicious creation of files in /etc for persistence in WSL environments at endpoints.
References
Microsoft Defender XDR & Microsoft Sentinel
MITRE ATT&CK Mapping
- Tactic: Defense Evasion
- Technique ID: T1202
- Indirect Command Execution
Source
- MDE
Versioning
| Version | Date | Comments |
|---|---|---|
| 1.0 | 24/06/2024 | Initial publish |
Explanation
This query helps to find suspicious files created in /etc for persistence in WSL environments. It looks for specific folders and checks for file creation events within a specified timeframe. It is used for hunting and detecting potential threats in WSL endpoints.
