detection.wiki

Detection rules › Sigma

WSL Kali-Linux Usage

Severity
high
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Source
upstream

Detects the use of Kali Linux through Windows Subsystem for Linux

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1202 Indirect Command Execution

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation
Security-Auditing4688A new process has been created.

Stages and Predicates

Stage 1: 1 of selection_img_appdata

or:
Image|contains: ':\Users\'
Image|contains: '\AppData\Local\Microsoft\WindowsApps\kali.exe'
Image|contains: ':\Users\'
Image|contains: '\AppData\Local\packages\KaliLinux'

Stage 2: 1 of selection_img_windowsapps

Image|endswith: '\kali.exe'
Image|contains: ':\Program Files\WindowsApps\KaliLinux.'

Stage 3: all of selection_kali_wsl_parent

or:
ParentImage|endswith: '\wsl.exe'
ParentImage|endswith: '\wslhost.exe'

Stage 4: all of selection_kali_wsl_child

or:
CommandLine|contains: Kali-linux
CommandLine|contains: Kali.exe
CommandLine|contains: kalilinux
Image|contains: '\KaliLinux'
Image|contains: '\kali.exe'

Stage 5: not 1 of filter_main_install_uninstall

or:
CommandLine|contains: ' --install '
CommandLine|contains: ' --unregister '
CommandLine|contains: ' -i '

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • --install corpus 2 (sigma 2)
  • --unregister
  • -i corpus 3 (sigma 3)
  • Kali-linux
  • Kali.exe
  • kalilinux
Imageends_with
  • \kali.exe
Imagematch
  • :\Program Files\WindowsApps\KaliLinux.
  • :\Users\ corpus 3 (sigma 3)
  • \AppData\Local\Microsoft\WindowsApps\kali.exe
  • \AppData\Local\packages\KaliLinux
  • \KaliLinux
  • \kali.exe
ParentImageends_with
  • \wsl.exe corpus 4 (sigma 4)
  • \wslhost.exe corpus 2 (sigma 2)