Suspicious Reconnaissance Activity Through Wsl
Query
let WSLSuspicousList = dynamic(["whoami", "uname", "find", "grep", "cron -l", "/etc/shadow", "/etc/passwd", "/etc/sudoers", "w"]);
let TimeFrame = 30d; // Choose the best timeframe for your investigation
DeviceInfo
| where RegistryDeviceTag has "WSL2"
| project DeviceId
| join ( DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where ActionType == "ProcessCreated"
| where ProcessCommandLine has_any (WSLSuspicousList)
| project TimeGenerated, WSLDeviceID = DeviceId, DeviceName, FileName, FolderPath, ProcessId, ProcessCommandLine, AccountDomain, AccountName
)
on $left.DeviceId == $right.WSLDeviceID
| sort by TimeGenerated descAbout this query
Suspicious reconnaissance activity through WSL
Description
The following query will assist in hunting for suspicious activity similar to reconnaissance in WSL environments at endpoints.
References
Microsoft Defender XDR & Microsoft Sentinel
MITRE ATT&CK Mapping
- Tactic: Defense Evasion
- Technique ID: T1202
- Indirect Command Execution
Source
- MDE
Versioning
| Version | Date | Comments |
|---|---|---|
| 1.0 | 24/06/2024 | Initial publish |
Explanation
This query helps to find suspicious reconnaissance activity in WSL environments on endpoints by looking for specific commands being run. It checks for commands like "whoami" and "grep" within a specified timeframe and shows details like device name, file name, and account information. It is useful for detecting potential threats in WSL environments.
