Query Details

Suspicious Reconnaissance Activity Through Wsl

Query

let WSLSuspicousList = dynamic(["whoami", "uname", "find", "grep", "cron -l", "/etc/shadow", "/etc/passwd", "/etc/sudoers", "w"]); 
let TimeFrame = 30d; // Choose the best timeframe for your investigation
DeviceInfo
    | where RegistryDeviceTag has "WSL2"
    | project DeviceId
| join ( DeviceProcessEvents
    | where Timestamp > ago(TimeFrame)
    | where ActionType == "ProcessCreated"
    | where ProcessCommandLine has_any (WSLSuspicousList)
    | project TimeGenerated, WSLDeviceID = DeviceId, DeviceName, FileName, FolderPath, ProcessId, ProcessCommandLine, AccountDomain, AccountName
    )
on $left.DeviceId == $right.WSLDeviceID
| sort by TimeGenerated desc

About this query

Suspicious reconnaissance activity through WSL

Description

The following query will assist in hunting for suspicious activity similar to reconnaissance in WSL environments at endpoints.

References

Microsoft Defender XDR & Microsoft Sentinel

MITRE ATT&CK Mapping

Source

  • MDE

Versioning

VersionDateComments
1.024/06/2024Initial publish

Explanation

This query helps to find suspicious reconnaissance activity in WSL environments on endpoints by looking for specific commands being run. It checks for commands like "whoami" and "grep" within a specified timeframe and shows details like device name, file name, and account information. It is useful for detecting potential threats in WSL environments.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: June 24, 2024

Tables

DeviceInfoDeviceProcessEvents

Keywords

DevicesIntuneUser

Operators

whereprojectjoinhasisagoanysort by

MITRE Techniques

Actions

GitHub