[Rule Tuning] Execution via Windows Subsystem for Linux (db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd)Β #5575
Description
Rule Tuning Analysis
Rule ID: db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd
Rule Name: Execution via Windows Subsystem for Linux
Rule Type: eql
Classification
| Metric | Value |
|---|---|
| Category | NOISY_NON_PERFORMANT |
| Priority | HIGH |
| Tuning Score | 60.82 |
| Version Status | β Established (10 release cycles) |
Performance Metrics
| Metric | Value |
|---|---|
| Avg Duration | 64.3s |
| Max Duration | 141.0s |
| Slow Executions | 13 on 3 clusters |
Alert Telemetry
| Metric | Value |
|---|---|
| Total Alerts (3d) | 18,482 |
| Unique Clusters | 21 |
| Cluster Coverage | 0.8% |
| Daily Average | 6161 |
| Days Active | 3 |
| Coefficient of Variation | 0.71 (MODERATE) |
Analysis Flags
- π΄ Noisy on Latest Version: β Yes
- π΄ Widespread False Positive: β No
β οΈ Version Regression: β Noβ οΈ Stale and Noisy: β Noβ οΈ Low Version / High Volume: β No- βΉοΈ Low Activity: β No
Recommendation
Action: Exclude benign echo-only cmd.exe spawned by WSL and apply NT-object path exclusions across vendors (or gate on event.module) to catch conhost/wsl.exe and Program Files paths consistently.
Rationale: The rule is noisy primarily due to benign WSL-driven Windows processes (notably cmd.exe /C echo) and NT object-path variants from EDRs (e.g., CrowdStrike) that bypass the current exclusions because they are gated only on event.dataset == "crowdstrike.fdr". Add targeted exclusions for echo-only cmd usage and apply the NT-object path exclusions broadly (or gate on event.module as well) to suppress safe activity while preserving detection of suspicious WSL-launched executions.
Query Modifications
CrowdStrike NT object-path exclusions are gated only on event.dataset == 'crowdstrike.fdr', missing events where module is present but dataset differs or is absent. (Impact: both)
Current:
and not (
event.dataset == "crowdstrike.fdr" and
process.executable : ("\\Device\\HarddiskVolume*\\Program Files (x86)\\*", ...)
)Modify β
and not (
(event.dataset : "crowdstrike*" or event.module == "crowdstrike") and
process.executable : (
"\\Device\\HarddiskVolume*\\Program Files (x86)\\*",
"\\Device\\HarddiskVolume*\\Program Files\\*",
"\\Device\\HarddiskVolume*\\Program Files*\\WindowsApps\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\wsl*.exe",
"\\Device\\HarddiskVolume*\\Windows\\System32\\conhost.exe",
"\\Device\\HarddiskVolume*\\Windows\\System32\\lxss\\wslhost.exe",
"\\Device\\HarddiskVolume*\\Windows\\System32\\WerFault.exe",
"\\Device\\HarddiskVolume*\\Windows\\Sys?????\\wslconfig.exe"
)
)Ensures NT object-path exclusions apply to CrowdStrike events that use event.module but may not set event.dataset consistently; reduces FPs and avoids scanning additional data due to missed exclusions.
Benign echo-only cmd spawned by WSL generates large FP volume. (Impact: accuracy)
Current:
process where ... and process.parent.name : ("wsl.exe", "wslhost.exe") and not ...Modify β
process where host.os.type == "windows" and event.type : "start" and
process.parent.name in ("wsl.exe", "wslhost.exe") and
not process.executable : (
"?:\\Program Files (x86)\\*",
"?:\\Program Files\\*",
"?:\\Program Files*\\WindowsApps\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\wsl*.exe",
"?:\\Windows\\System32\\conhost.exe",
"?:\\Windows\\System32\\lxss\\wslhost.exe",
"?:\\Windows\\System32\\WerFault.exe",
"?:\\Windows\\Sys?????\\wslconfig.exe",
"\\Device\\HarddiskVolume*\\Program Files (x86)\\*",
"\\Device\\HarddiskVolume*\\Program Files\\*",
"\\Device\\HarddiskVolume*\\Program Files*\\WindowsApps\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\wsl*.exe",
"\\Device\\HarddiskVolume*\\Windows\\System32\\conhost.exe",
"\\Device\\HarddiskVolume*\\Windows\\System32\\lxss\\wslhost.exe",
"\\Device\\HarddiskVolume*\\Windows\\System32\\WerFault.exe",
"\\Device\\HarddiskVolume*\\Windows\\Sys?????\\wslconfig.exe"
) and
not (process.name == "cmd.exe" and process.command_line : "* /C echo*")Adds a precise exclusion for echo-only cmd usage and applies NT-path variants universally, suppressing common benign WSL-driven activity without broadly excluding cmd.exe used for real execution.
Exception Recommendations
Add exception: process.command_line wildcard "*cmd.exe /C echo*" (Confidence: HIGH)
Events 3 and 4 (Elastic Endpoint) show wslhost.exe spawning cmd.exe '/C echo.%UserProfile%'; this is a benign echo-only operation common in WSL bridges and developer workflows. Excluding only echo keeps coverage against malicious cmd.exe used for execution while removing frequent FP noise.
Modify β
and process.command_line wildcard "*cmd.exe /C echo*"Add exception: process.executable wildcard "\Device\HarddiskVolume*\Windows\System32\conhost.exe" (Confidence: HIGH)
Event 1 (CrowdStrike) shows conhost.exe via NT object path. The rule already excludes drive-letter conhost and CrowdStrike NT paths only when event.dataset == 'crowdstrike.fdr'. Applying the NT path exclusion universally (independent of dataset) prevents benign console host spawns from WSL from alerting.
Modify β
and process.executable wildcard "\Device\HarddiskVolume*\Windows\System32\conhost.exe"Add exception: process.executable wildcard "\Device\HarddiskVolume*\Program Files\WSL\wsl.exe" (Confidence: HIGH)
Event 2 (CrowdStrike) shows wsl.exe under Program Files via NT object path. This is the legitimate WSL binary. The rule excludes wsl*.exe only for WindowsApps and Program Files (drive-letter) but misses NT object path unless event.dataset == 'crowdstrike.fdr'. Adding this NT path exclusion prevents safe parent/self invocations from alerting.
Modify β
and process.executable wildcard "\Device\HarddiskVolume*\Program Files\WSL\wsl.exe"Field-Level Recommendations
| Field | Value | Alert % | Cluster % | Confidence | Type |
|---|---|---|---|---|---|
process.command_line |
*cmd.exe /C echo* |
0.0% | 50.0% | HIGH | EXCEPTION |
process.executable |
\Device\HarddiskVolume*\Window... |
0.0% | 30.0% | HIGH | EXCEPTION |
process.executable |
\Device\HarddiskVolume*\Progra... |
0.0% | 25.0% | HIGH | EXCEPTION |
This issue was generated by the GenAI Tradecraft Rule Tuning Advisor.
Analysis timestamp: 2026-01-19T06:12:02.941564