Skip to content

Wsl and bash #468

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
wietze merged 13 commits into from
Dec 6, 2025
Merged

Wsl and bash #468

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
bf5789c
Update Bash.yml
Liran017 Sep 10, 2025
25765fc
Merge branch 'LOLBAS-Project:master' into wsl-and-bash
Liran017 Sep 10, 2025
f2665dd
Update Bash.yml
Liran017 Sep 10, 2025
aaecf6a
Update Wsl.yml
Liran017 Sep 10, 2025
c019e5a
Merge branch 'LOLBAS-Project:master' into wsl-and-bash
Liran017 Sep 30, 2025
3c0ae7b
Update Wsl.yml
Liran017 Oct 1, 2025
bfc5572
Update Bash.yml
Liran017 Oct 1, 2025
dffe391
Update Wsl.yml
Liran017 Oct 1, 2025
3957d30
Update Bash.yml
Liran017 Oct 1, 2025
85bc30e
Update Wsl.yml
Liran017 Oct 1, 2025
d3fb0d1
Update Bash.yml
Liran017 Oct 1, 2025
a88c719
Update description and use case formatting in Bash.yml
wietze Dec 6, 2025
f3c6dbc
Fix formatting and typos in Wsl.yml description
wietze Dec 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions yml/OSBinaries/Bash.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,15 @@ Commands:
OperatingSystem: Windows 10
Tags:
- Execute: CMD
- Command: bash.exe
Description: When executed, `bash.exe` queries the registry value of `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Lxss\MSI\InstallLocation`, which contains a folder path (`c:\program files\wsl` by default). If the value points to another folder containing a file named `wsl.exe`, it will be executed instead of the legitimate `wsl.exe` in the program files folder.
Usecase: Execute a payload as a child process of `bash.exe` while masquerading as WSL.
Category: Execute
Privileges: User
MitreID: T1218
OperatingSystem: Windows 10, Windows Server 2019, Windows 11
Tags:
- Execute: CMD
Full_Path:
- Path: C:\Windows\System32\bash.exe
- Path: C:\Windows\SysWOW64\bash.exe
Expand All @@ -49,8 +58,10 @@ Detection:
- IOC: Child process from bash.exe
Resources:
- Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- Link: https://cardinalops.com/blog/bash-and-switch-hijacking-via-windows-subsystem-for-linux/
Acknowledgement:
- Person: Alex Ionescu
Handle: '@aionescu'
- Person: Asif Matadar
Handle: '@d1r4c'
- Person: Liran Ravich, CardinalOps
11 changes: 11 additions & 0 deletions yml/OtherMSBinaries/Wsl.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,15 @@ Commands:
Privileges: User
MitreID: T1105
OperatingSystem: Windows 10, Windows Server 2019, Windows 11
- Command: wsl.exe
Description: When executed, `wsl.exe` queries the registry value of `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Lxss\MSI\InstallLocation`, which contains a folder path (`c:\program files\wsl` by default). If the value points to another folder containing a file named `wsl.exe`, it will be executed instead of the legitimate `wsl.exe` in the program files folder.
Usecase: Execute a payload as a child process of `bash.exe` while masquerading as WSL.
Category: Execute
Privileges: User
MitreID: T1218
OperatingSystem: Windows 10, Windows Server 2019, Windows 11
Tags:
- Execute: CMD
Full_Path:
- Path: C:\Windows\System32\wsl.exe
Detection:
Expand All @@ -47,6 +56,7 @@ Detection:
Resources:
- Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- Link: https://twitter.com/nas_bench/status/1535431474429808642
- Link: https://cardinalops.com/blog/bash-and-switch-hijacking-via-windows-subsystem-for-linux/
Acknowledgement:
- Person: Alex Ionescu
Handle: '@aionescu'
Expand All @@ -57,3 +67,4 @@ Acknowledgement:
- Person: Nasreddine Bencherchali
Handle: '@nas_bench'
- Person: Konrad 'unrooted' Klawikowski
- Person: Liran Ravich, CardinalOps