From bc947fefc1eb285098a5a4166bbeadb4a029958b Mon Sep 17 00:00:00 2001
From: svch0stz <8684257+svch0stz@users.noreply.github.com>
Date: Mon, 5 Oct 2020 13:36:40 +1100
Subject: [PATCH] Create win_susp_wsl_lolbin.yml

---
 .../process_creation/win_susp_wsl_lolbin.yml  | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 rules/windows/process_creation/win_susp_wsl_lolbin.yml

diff --git a/rules/windows/process_creation/win_susp_wsl_lolbin.yml b/rules/windows/process_creation/win_susp_wsl_lolbin.yml
new file mode 100644
index 000000000..da196a739
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_wsl_lolbin.yml
@@ -0,0 +1,27 @@
+title: WSL Execution
+id: dec44ca7-61ad-493c-bfd7-8819c5faa09b
+status: experimental
+description: Detects Possible usage of Windows Subsystem for Linux (WSL) binary as a LOLBIN
+references:
+    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/
+tags:
+    - attack.execution
+    - attack.defense_evasion
+    - attack.t1218
+    - attack.t1202
+author: Zach Stanford '@svch0st'
+date: 2020/10/05
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith:
+            - '\wsl.exe'
+        CommandLine|contains:
+            - ' -e '
+            - ' --exec '
+    condition: selection
+falsepositives:
+    - Automation and orchestration scripts may use this method execute scripts etc
+level: medium