Query Details
Suspicious Reconnaissance Activity Through Wsl
Query
# Suspicious reconnaissance activity through WSL
### Description
The following query will assist in hunting for suspicious activity similar to reconnaissance in WSL environments at endpoints.
### References
### Microsoft Defender XDR & Microsoft Sentinel
```
let WSLSuspicousList = dynamic(["whoami", "uname", "find", "grep", "cron -l", "/etc/shadow", "/etc/passwd", "/etc/sudoers", "w"]);
let TimeFrame = 30d; // Choose the best timeframe for your investigation
DeviceInfo
| where RegistryDeviceTag has "WSL2"
| project DeviceId
| join ( DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where ActionType == "ProcessCreated"
| where ProcessCommandLine has_any (WSLSuspicousList)
| project TimeGenerated, WSLDeviceID = DeviceId, DeviceName, FileName, FolderPath, ProcessId, ProcessCommandLine, AccountDomain, AccountName
)
on $left.DeviceId == $right.WSLDeviceID
| sort by TimeGenerated desc
```
### MITRE ATT&CK Mapping
- Tactic: Defense Evasion
- Technique ID: T1202
- [Indirect Command Execution](https://attack.mitre.org/techniques/T1204/001/)
### Source
- MDE
### Versioning
| Version | Date | Comments |
| ------------- |---------------| ----------------------------------|
| 1.0 | 24/06/2024 | Initial publish |
Explanation
This query helps to find suspicious reconnaissance activity in WSL environments on endpoints by looking for specific commands being run. It checks for commands like "whoami" and "grep" within a specified timeframe and shows details like device name, file name, and account information. It is useful for detecting potential threats in WSL environments.
Details
Michalis Michalos
Released: June 24, 2024
Tables
DeviceInfoDeviceProcessEvents
Keywords
Devices,Intune,User
Operators
whereprojectjoinhasisagoanysort by