update: add more filters and adjust metadata

Author: swachchhanda000

rules/windows/file/file_event/file_event_win_wsl_binary_modification.yml

@@ -1,22 +1,38 @@
-title: WSL Binary Modification
+title: WSL Binary Modification from Installed Location
 id: 2f400434-01e1-416b-b52c-bb5bfbb9eb78
 status: experimental
-description: Detects the modification of WSL.exe in program files. When WSL or Bash are exectued in Windows, the respective file in the System32 folder is executed and calls WSL.exe from program files.
+description: |
+    Detects the modification of the wsl.exe binary from its installed location.
+    Attackers can replace the legitimate wsl.exe binary with a malicious payload in its place, which is then executed when the user runs WSL, acting as a proxy execution and defense evasion technique.
 references:
     - https://cardinalops.com/blog/bash-and-switch-hijacking-via-windows-subsystem-for-linux/
-author: Liran Ravich
-date: 2025-10-01
+author: Liran Ravich, Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2026-05-05
 tags:
-    - attack.defense-evasion
+    - attack.stealth
     - attack.t1036.005
     - attack.t1218
 logsource:
     category: file_event
     product: windows
 detection:
-    selection:
-        TargetFilename|contains: 'c:\program files\wsl\wsl.exe'
-    condition: selection
+    selection_wsl_exe:
+        TargetFilename|endswith: '\wsl.exe'
+    selection_wsl_folder:
+        - TargetFilename|contains:
+              - ':\Program files\wsl\'
+              - ':\Program files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux_'
+        - TargetFilename|contains|all:
+              - ':\Users\'
+              - '\AppData\Local\Microsoft\WindowsApps\'
+    filter_main_msiexec:
+        Image:
+            - 'C:\Windows\System32\msiexec.exe'
+            - 'C:\Windows\SysWOW64\msiexec.exe'
+    filter_main_svchost:
+        Image: 'C:\Windows\System32\svchost.exe'
+        TargetFilename|contains: '\WindowsApps\'
+    condition: all of selection_* and not 1 of filter_main_*
 falsepositives:
-    - When installing WSL for the first time, this file is created by msiexec.exe.
-level: high
+    - Legitimate modification of WSL.exe by the user or by Windows updates.
+level: medium # keeping as medium as there might still be legitimate process that create wsl.exe

rules/windows/process_creation/proc_creation_win_wsl_executed_from_unusual_directoy.yml

@@ -1,13 +1,15 @@
 title: WSL Executed From Unusual Directory
 id: 792eba32-3c95-4144-a7dd-030f4a4cdb8b
 status: experimental
-description: Detects the execution of wsl.exe from an unusual path. This could point to a possible hijack of WSL, intended to make it run a malicious payload upon execution of WSL or Bash.
+description: |
+    Detects the execution of wsl.exe from an unusual path.
+    This could point to a possible hijack of WSL, intended to make it run a malicious payload upon execution of WSL or Bash.
 references:
     - https://cardinalops.com/blog/bash-and-switch-hijacking-via-windows-subsystem-for-linux/
-author: Liran Ravich
-date: 2025-10-01
+author: Liran Ravich, Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2026-05-05
 tags:
-    - attack.defense-evasion
+    - attack.stealth
     - attack.t1036.005
     - attack.t1218
 logsource:
@@ -20,12 +22,15 @@ detection:
         Image:
             - 'C:\Windows\System32\wsl.exe'
             - 'C:\Program Files\WSL\wsl.exe'
+            - 'C:\$windows.~bt\newos\windows\system32\wsl.exe'
     filter_main_legit_paths_2:
         Image|startswith:
             - 'C:\Windows\WinSxS\amd64_microsoft-windows-lxss-wsl_'
             - 'C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux'
+            - 'C:\ProgramData\Microsoft\Windows\Containers\Layers\'
+            - 'C:\Windows\SoftwareDistribution\Download\'
     filter_main_legit_paths_3:
-        Image|startswith: 'C:\Users'
+        Image|startswith: 'C:\Users\'
         Image|contains: '\AppData\Local\Microsoft\WindowsApps\'
     condition: selection_img and not 1 of filter_main_*
 falsepositives:

rules/windows/registry/registry_set/registry_set_wsl_installlocation_registry_key_modification.yml

@@ -1,13 +1,17 @@
 title: WSL InstallLocation Registry Key Modification
 id: 83475063-b1c8-4774-9568-69bbda71a539
 status: experimental
-description: Detects the modification of the registry key realted to WSL InstallLocation. The key points to a path, in which any file named wsl.exe will be executed upon execution of wsl or bash.
+description: |
+    Detects modifications to the Windows Subsystem for Linux (WSL) InstallLocation registry key.
+    Attackers can modify this registry key to redirect the execution flow of legitimate WSL processes (wsl.exe or bash.exe) to a malicious payload, acting as a proxy execution and defense evasion technique.
 references:
     - https://cardinalops.com/blog/bash-and-switch-hijacking-via-windows-subsystem-for-linux/
-author: Liran Ravich
-date: 2025-10-01
+author: Liran Ravich, Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2026-05-05
 tags:
-    - attack.defense-evasion
+    - attack.stealth
+    - attack.defense-impairment
+    - attack.persistence
     - attack.t1112
     - attack.t1218
 logsource:
@@ -16,7 +20,17 @@ logsource:
 detection:
     selection:
         TargetObject|contains: '\Lxss\MSI\InstallLocation'
-    condition: selection
+    filter_main_legitimate_binary:
+        - Details: 'C:\Program Files\WSL'
+        - Details|contains:
+              - ':\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux_'
+              - '\AppData\Local\Microsoft\WindowsApps'
+              - '%ProgramFiles%'
+    filter_main_msiexec:
+        Image:
+            - 'C:\Windows\System32\msiexec.exe'
+            - 'C:\Windows\SysWOW64\msiexec.exe'
+    condition: selection and not 1 of filter_main_*
 falsepositives:
     - Unlikely
 level: high