← Back to SOC feed Coverage →

WSL Child Process Anomaly

sigma MEDIUM SigmaHQ
T1218T1202
imProcessCreate
persistence
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-24T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL

Detection Rule

Sigma (Original)

title: WSL Child Process Anomaly
id: 2267fe65-0681-42ad-9a6d-46553d3f3480
related:
    - id: dec44ca7-61ad-493c-bfd7-8819c5faa09b # LOLBIN Rule
      type: derived
status: test
description: Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/
    - https://twitter.com/nas_bench/status/1535431474429808642
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-23
modified: 2023-08-15
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            - '\wsl.exe'
            - '\wslhost.exe'
    selection_children_images:
        Image|endswith:
            # Add more suspicious/uncommon "lolbin" processes
            - '\calc.exe'
            - '\cmd.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\wscript.exe'
    selection_children_paths:
        Image|contains:
            - '\AppData\Local\Temp\'
            - 'C:\Users\Public\'
            - 'C:\Windows\Temp\'
            - 'C:\Temp\'
            - '\Downloads\'
            - '\Desktop\'
    condition: selection_parent and 1 of selection_children_*
falsepositives:
    - Unknown
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where ((ParentProcessName endswith "\\wsl.exe" or ParentProcessName endswith "\\wslhost.exe") or (ActingProcessName endswith "\\wsl.exe" or ActingProcessName endswith "\\wslhost.exe")) and ((TargetProcessName endswith "\\calc.exe" or TargetProcessName endswith "\\cmd.exe" or TargetProcessName endswith "\\cscript.exe" or TargetProcessName endswith "\\mshta.exe" or TargetProcessName endswith "\\powershell.exe" or TargetProcessName endswith "\\pwsh.exe" or TargetProcessName endswith "\\regsvr32.exe" or TargetProcessName endswith "\\rundll32.exe" or TargetProcessName endswith "\\wscript.exe") or (TargetProcessName contains "\\AppData\\Local\\Temp\\" or TargetProcessName contains "C:\\Users\\Public\\" or TargetProcessName contains "C:\\Windows\\Temp\\" or TargetProcessName contains "C:\\Temp\\" or TargetProcessName contains "\\Downloads\\" or TargetProcessName contains "\\Desktop\\"))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml