2019-06-27 21:39:12 +02:00
|
|
|
---
|
|
|
|
|
Name: Wsl.exe
|
|
|
|
|
Description: Windows subsystem for Linux executable
|
|
|
|
|
Author: 'Matthew Brown'
|
|
|
|
|
Created: '2019-06-27'
|
|
|
|
|
Commands:
|
|
|
|
|
- Command: wsl.exe -e /mnt/c/Windows/System32/calc.exe
|
|
|
|
|
Description: Executes calc.exe from wsl.exe
|
|
|
|
|
Usecase: Performs execution of specified file, can be used to execute arbitrary Linux commands.
|
|
|
|
|
Category: Execute
|
|
|
|
|
Privileges: User
|
|
|
|
|
MitreID: T1202
|
|
|
|
|
MitreLink: https://attack.mitre.org/techniques/T1202
|
|
|
|
|
OperatingSystem: Windows 10, Windows 19 Server
|
2019-06-28 15:20:56 +02:00
|
|
|
- Command: wsl.exe -u root -e cat /etc/shadow
|
2019-06-28 17:53:45 +02:00
|
|
|
Description: Cats /etc/shadow file as root
|
|
|
|
|
Usecase: Performs execution of arbitrary Linux commands as root without need for password.
|
|
|
|
|
Category: Execute
|
|
|
|
|
Privileges: User
|
|
|
|
|
MitreID: T1202
|
|
|
|
|
MitreLink: https://attack.mitre.org/techniques/T1202
|
|
|
|
|
OperatingSystem: Windows 10, Windows 19 Server
|
2019-06-27 21:39:12 +02:00
|
|
|
Full_Path:
|
|
|
|
|
- Path: C:\Windows\System32\wsl.exe
|
|
|
|
|
Code_Sample:
|
|
|
|
|
- Code:
|
|
|
|
|
Detection:
|
|
|
|
|
- IOC: Child process from wsl.exe
|
|
|
|
|
Resources:
|
|
|
|
|
- Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
2019-06-28 18:07:24 +02:00
|
|
|
Acknowledgement:
|
2019-06-28 18:05:34 +02:00
|
|
|
- Person: Alex Ionescu
|
|
|
|
|
Handle: '@aionescu'
|
|
|
|
|
- Person: Matt
|
|
|
|
|
Handle: '@NotoriousRebel1'
|
2019-06-27 21:39:12 +02:00
|
|
|
---
|
