Skip to content

Hide Navigation Hide TOC

WSL Child Process Anomaly (2267fe65-0681-42ad-9a6d-46553d3f3480)

Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL

Cluster A Galaxy A Cluster B Galaxy B Level
Indirect Command Execution - T1202 (3b0e52ce-517a-4614-a523-1bd5deef6c5e) Attack Pattern WSL Child Process Anomaly (2267fe65-0681-42ad-9a6d-46553d3f3480) Sigma-Rules 1
WSL Child Process Anomaly (2267fe65-0681-42ad-9a6d-46553d3f3480) Sigma-Rules System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 1