From bc947fefc1eb285098a5a4166bbeadb4a029958b Mon Sep 17 00:00:00 2001
From: svch0stz <8684257+svch0stz@users.noreply.github.com>
Date: Mon, 5 Oct 2020 13:36:40 +1100
Subject: [PATCH 1/4] Create win_susp_wsl_lolbin.yml

---
 .../process_creation/win_susp_wsl_lolbin.yml  | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 rules/windows/process_creation/win_susp_wsl_lolbin.yml

diff --git a/rules/windows/process_creation/win_susp_wsl_lolbin.yml b/rules/windows/process_creation/win_susp_wsl_lolbin.yml
new file mode 100644
index 000000000..da196a739
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_wsl_lolbin.yml
@@ -0,0 +1,27 @@
+title: WSL Execution
+id: dec44ca7-61ad-493c-bfd7-8819c5faa09b
+status: experimental
+description: Detects Possible usage of Windows Subsystem for Linux (WSL) binary as a LOLBIN
+references:
+    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/
+tags:
+    - attack.execution
+    - attack.defense_evasion
+    - attack.t1218
+    - attack.t1202
+author: Zach Stanford '@svch0st'
+date: 2020/10/05
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith:
+            - '\wsl.exe'
+        CommandLine|contains:
+            - ' -e '
+            - ' --exec '
+    condition: selection
+falsepositives:
+    - Automation and orchestration scripts may use this method execute scripts etc
+level: medium

From c675be41e2802b72681725005bdeb9d04460ed83 Mon Sep 17 00:00:00 2001
From: svch0stz <8684257+svch0stz@users.noreply.github.com>
Date: Mon, 5 Oct 2020 13:57:50 +1100
Subject: [PATCH 2/4] Create win_net_use_admin_share.yml

---
 .../win_net_use_admin_share.yml               | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 rules/windows/process_creation/win_net_use_admin_share.yml

diff --git a/rules/windows/process_creation/win_net_use_admin_share.yml b/rules/windows/process_creation/win_net_use_admin_share.yml
new file mode 100644
index 000000000..2493c2fad
--- /dev/null
+++ b/rules/windows/process_creation/win_net_use_admin_share.yml
@@ -0,0 +1,26 @@
+title: Mounted Windows Admin Shares with net.exe
+id: 3abd6094-7027-475f-9630-8ab9be7b9725
+status: experimental
+description: Detects when an admin share is mounted using net.exe
+references:
+    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
+author: Teymur Kheirkhabarov '@HeirhabarovT', Zach Stanford '@svch0st'
+date: 2020/10/05
+tags:
+    - attack.lateral_movement
+    - attack.T1021.002
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith:
+            - '\net.exe'
+            - '\net1.exe'
+        CommandLine|contains|all:
+            - ' use '
+            - '\\\\*\*$*'
+    condition: selection
+falsepositives:
+    - Administrators
+level: medium

From 3516819bf819cd01f010ccaa47592f9115e71925 Mon Sep 17 00:00:00 2001
From: svch0stz <8684257+svch0stz@users.noreply.github.com>
Date: Mon, 5 Oct 2020 14:00:36 +1100
Subject: [PATCH 3/4] Delete win_net_use_admin_share.yml

---
 .../win_net_use_admin_share.yml               | 26 -------------------
 1 file changed, 26 deletions(-)
 delete mode 100644 rules/windows/process_creation/win_net_use_admin_share.yml

diff --git a/rules/windows/process_creation/win_net_use_admin_share.yml b/rules/windows/process_creation/win_net_use_admin_share.yml
deleted file mode 100644
index 2493c2fad..000000000
--- a/rules/windows/process_creation/win_net_use_admin_share.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-title: Mounted Windows Admin Shares with net.exe
-id: 3abd6094-7027-475f-9630-8ab9be7b9725
-status: experimental
-description: Detects when an admin share is mounted using net.exe
-references:
-    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
-author: Teymur Kheirkhabarov '@HeirhabarovT', Zach Stanford '@svch0st'
-date: 2020/10/05
-tags:
-    - attack.lateral_movement
-    - attack.T1021.002
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        Image|endswith:
-            - '\net.exe'
-            - '\net1.exe'
-        CommandLine|contains|all:
-            - ' use '
-            - '\\\\*\*$*'
-    condition: selection
-falsepositives:
-    - Administrators
-level: medium

From ee2c79745f73a4a701491afd6547b7c0c4c1cf76 Mon Sep 17 00:00:00 2001
From: svch0stz <8684257+svch0stz@users.noreply.github.com>
Date: Wed, 7 Oct 2020 08:12:51 +1100
Subject: [PATCH 4/4] Update win_susp_wsl_lolbin.yml

---
 rules/windows/process_creation/win_susp_wsl_lolbin.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_susp_wsl_lolbin.yml b/rules/windows/process_creation/win_susp_wsl_lolbin.yml
index da196a739..71c561a9b 100644
--- a/rules/windows/process_creation/win_susp_wsl_lolbin.yml
+++ b/rules/windows/process_creation/win_susp_wsl_lolbin.yml
@@ -9,7 +9,7 @@ tags:
     - attack.defense_evasion
     - attack.t1218
     - attack.t1202
-author: Zach Stanford '@svch0st'
+author: 'oscd.community, Zach Stanford @svch0st'
 date: 2020/10/05
 logsource:
     category: process_creation