Query Details

Suspicious Execution Using Wsl

Query

let WSLHostSuspicousList = dynamic(["curl", "/etc/shadow", "/etc/passwd", "cat", "--system", "root", "-e", "--exec", "bash", "/mnt/c/"]); 
let TimeFrame = 30d; // Choose the best timeframe for your investigation
DeviceProcessEvents
    | where Timestamp > ago(TimeFrame)
    | where InitiatingProcessFileName has "wsl.exe"
    | where ProcessCommandLine has_any (WSLHostSuspicousList)
    | project TimeGenerated, DeviceId, DeviceName, FileName, FolderPath, ProcessId, ProcessCommandLine, AccountDomain, AccountName
    | sort by TimeGenerated desc

About this query

Suspicious execution using WSL

Description

The following query will assist in hunting for suspicious execution using WSL environments at endpoints.

References

Microsoft Defender XDR & Microsoft Sentinel

MITRE ATT&CK Mapping

Source

  • MDE

Versioning

VersionDateComments
1.024/06/2024Initial publish

Explanation

This query helps to find suspicious activity on endpoints using WSL (Windows Subsystem for Linux). It looks for specific commands being executed in WSL environments.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: June 24, 2024

Tables

DeviceProcessEvents

Keywords

DevicesIntuneUser

Operators

wherehashas_anyprojectsort by

MITRE Techniques

Actions

GitHub