From ff7dd5893bbfdd6d20dac46cc4a6b1f443e8f3ba Mon Sep 17 00:00:00 2001
From: NotoriousRebel <matt12299@yahoo.com>
Date: Thu, 27 Jun 2019 15:39:12 -0400
Subject: [PATCH] Added Wsl.yml

---
 yml/OSBinaries/Wsl.yml | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 yml/OSBinaries/Wsl.yml

diff --git a/yml/OSBinaries/Wsl.yml b/yml/OSBinaries/Wsl.yml
new file mode 100644
index 0000000..4f8880e
--- /dev/null
+++ b/yml/OSBinaries/Wsl.yml
@@ -0,0 +1,23 @@
+---
+Name: Wsl.exe
+Description: Windows subsystem for Linux executable
+Author: 'Matthew Brown'
+Created: '2019-06-27'
+Commands:
+  - Command: wsl.exe -e /mnt/c/Windows/System32/calc.exe
+    Description: Executes calc.exe from wsl.exe
+    Usecase: Performs execution of specified file, can be used to execute arbitrary Linux commands.
+    Category: Execute
+    Privileges: User
+    MitreID: T1202
+    MitreLink: https://attack.mitre.org/techniques/T1202
+    OperatingSystem: Windows 10, Windows 19 Server
+Full_Path:
+  - Path: C:\Windows\System32\wsl.exe
+Code_Sample:
+  - Code:
+Detection:
+  - IOC: Child process from wsl.exe
+Resources:
+  - Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
+---