Merge pull request #1032 from svch0stz/oscd

[OSCD] Created win_susp_wsl_lolbin.yml

rules/windows/process_creation/win_susp_wsl_lolbin.yml

@@ -0,0 +1,27 @@
+title: WSL Execution
+id: dec44ca7-61ad-493c-bfd7-8819c5faa09b
+status: experimental
+description: Detects Possible usage of Windows Subsystem for Linux (WSL) binary as a LOLBIN
+references:
+    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/
+tags:
+    - attack.execution
+    - attack.defense_evasion
+    - attack.t1218
+    - attack.t1202
+author: 'oscd.community, Zach Stanford @svch0st'
+date: 2020/10/05
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith:
+            - '\wsl.exe'
+        CommandLine|contains:
+            - ' -e '
+            - ' --exec '
+    condition: selection
+falsepositives:
+    - Automation and orchestration scripts may use this method execute scripts etc
+level: medium