mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-25 14:29:24 +01:00
commit
dd545693da
31
yml/OtherMSBinaries/Wsl.yml
Normal file
31
yml/OtherMSBinaries/Wsl.yml
Normal file
@ -0,0 +1,31 @@
|
||||
---
|
||||
Name: Wsl.exe
|
||||
Description: Windows subsystem for Linux executable
|
||||
Author: 'Matthew Brown'
|
||||
Created: '2019-06-27'
|
||||
Commands:
|
||||
- Command: wsl.exe -e /mnt/c/Windows/System32/calc.exe
|
||||
Description: Executes calc.exe from wsl.exe
|
||||
Usecase: Performs execution of specified file, can be used to execute arbitrary Linux commands.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
MitreLink: https://attack.mitre.org/techniques/T1202
|
||||
OperatingSystem: Windows 10, Windows 19 Server
|
||||
- Command: wsl.exe -u root -e cat /etc/shadow
|
||||
Description: Cats /etc/shadow file as root
|
||||
Usecase: Performs execution of arbitrary Linux commands as root without need for password.
|
||||
Category: Execute
|
||||
Privileges: User
|
||||
MitreID: T1202
|
||||
MitreLink: https://attack.mitre.org/techniques/T1202
|
||||
OperatingSystem: Windows 10, Windows 19 Server
|
||||
Full_Path:
|
||||
- Path: C:\Windows\System32\wsl.exe
|
||||
Code_Sample:
|
||||
- Code:
|
||||
Detection:
|
||||
- IOC: Child process from wsl.exe
|
||||
Resources:
|
||||
- Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
|
||||
---
|
Loading…
Reference in New Issue
Block a user