WSL Child Process Anomaly

Rule Info

Name
WSL Child Process Anomaly
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL
Reference
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/
Date
2023-01-23 00:00:00
Modified
2023-08-15 00:00:00
Id
2267fe65-0681-42ad-9a6d-46553d3f3480
Tags
attack.execution attack.defense_evasion attack.t1218 attack.t1202 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=2267fe65-0681-42ad-9a6d-46553d3f3480

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
feat: update bash lolbin rules
2023-08-15
99387042c
Nasreddine Bencherchali
feat: more rules updates
2023-02-14
2ef681291
Nasreddine Bencherchali
chore: add nextron authors tag
2023-02-01
7c38a5c49
Nasreddine Bencherchali
fix: broken condition
2023-01-24
9e2c01521
Nasreddine Bencherchali
feat: update wsl related rules and other
2023-01-24
d7bf5383a
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022