Skip to content

Wsl rules#5668

Open
Liran017 wants to merge 9 commits into
SigmaHQ:masterfrom
Liran017:WSL-rules
Open

Wsl rules#5668
Liran017 wants to merge 9 commits into
SigmaHQ:masterfrom
Liran017:WSL-rules

Conversation

@Liran017

@Liran017 Liran017 commented Oct 1, 2025
edited by swachchhanda000
Loading

Copy link
Copy Markdown
Contributor

Summary of the Pull Request

This PR includes new rules that are related to WSL in Windows.

The full breakdown can be found here:
https://cardinalops.com/blog/bash-and-switch-hijacking-via-windows-subsystem-for-linux/.

Changelog

new: WSL Binary Modification from Installed Location
new: WSL Binary Hijack via Proxy Execution
new: WSL InstallLocation Registry Key Modification Via CommandLine
new: WSL Binary Masquerading
new: WSL InstallLocation Registry Key Modification

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions Bot added Rules Windows Pull request add/update windows related rules labels Oct 1, 2025
swachchhanda000
swachchhanda000 reviewed Oct 9, 2025
View reviewed changes
Comment thread rules/windows/file/file_event/file_event_win_wsl_binary_modification.yml Outdated
swachchhanda000
swachchhanda000 requested changes Oct 9, 2025
View reviewed changes
Comment thread rules/windows/process_creation/proc_creation_win_svchost_uncommon_command_line_flags.yml
Comment thread rules/windows/process_creation/proc_creation_win_wsl_executed_from_unusual_directoy.yml
Comment thread ...ows/registry/registry_event/registry_event_wsl_installlocation_registry_key_modification.yml
@swachchhanda000 swachchhanda000 added Author Input Required changes the require information from original author of the rules Additional Data Needed labels Oct 9, 2025
@nasbench nasbench self-requested a review December 24, 2025 16:52
swachchhanda000
swachchhanda000 requested changes Feb 19, 2026
View reviewed changes

@swachchhanda000 swachchhanda000 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HI @Liran017,

I apologize for the delayed response on this pull request.

I have again reviewed some changes you made and there are still some questions/suggestions your way before we can approve this PR.

Thank you for your patience and effort on this PR.

Comment thread rules/windows/file/file_event/file_event_win_wsl_binary_modification.yml Outdated
Comment thread ...ows/registry/registry_event/registry_event_wsl_installlocation_registry_key_modification.yml Outdated
Comment thread ...windows/registry/registry_set/registry_set_wsl_installlocation_registry_key_modification.yml Outdated
Comment thread rules/windows/process_creation/proc_creation_win_wsl_executed_from_unusual_directoy.yml Outdated
Comment thread rules/windows/process_creation/proc_creation_win_wsl_executed_from_unusual_directoy.yml Outdated
swachchhanda000 and others added 3 commits May 5, 2026 09:20
@swachchhanda000 @Liran017
Add WSL binary modification file event detection rule
c8d1f63 
Co-Authored-By: Liran Ravich <61919718+Liran017@users.noreply.github.com>
@swachchhanda000 @Liran017
Add WSL executed from unusual directory process creation rule
ca2872e 
Co-Authored-By: Liran Ravich <61919718+Liran017@users.noreply.github.com>
@swachchhanda000 @Liran017
Add WSL install location registry key modification detection rule
8e05e0e 
Co-Authored-By: Liran Ravich <61919718+Liran017@users.noreply.github.com>
@swachchhanda000 swachchhanda000 removed Author Input Required changes the require information from original author of the rules Additional Data Needed labels May 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@frack113 frack113 frack113 approved these changes

@swachchhanda000 swachchhanda000 swachchhanda000 approved these changes

@nasbench nasbench Awaiting requested review from nasbench

@phantinuss phantinuss Awaiting requested review from phantinuss

+1 more reviewer

@david-syk david-syk david-syk left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Rules Windows Pull request add/update windows related rules

Projects

None yet

Milestone

Sigma-June-Release

Development

Successfully merging this pull request may close these issues.

5 participants

@Liran017 @frack113 @swachchhanda000 @david-syk @nasbench