Windows
Wsl.exeWsl.exe
Platform
Windows
Abuse functions
5
Mapped techniques
3
Description
Wsl.exe is a Windows living-off-the-land binary catalogued by the LOLBAS Project. Documented abuse functions: Execute, Download. Mapped ATT&CK techniques (per LOLBAS / GTFOBins → MITRE crosswalk): T1105, T1218. Defenders should monitor execution of Wsl.exe under non-administrative or sudo contexts and alert when its arguments match the abuse-function signatures.
Abuse functions· 5
ExecuteT1202
Performs execution of specified file, can be used to execute arbitrary Linux commands.
ExecuteT1202
Performs execution of arbitrary Linux commands as root without need for password.
ExecuteT1202
Performs execution of arbitrary Linux commands.
DownloadT1105
Download file
ExecuteT1218
Execute a payload as a child process of `bash.exe` while masquerading as WSL.
MITRE ATT&CK techniques· 3
Uses3
| Type | Target | Confidence | Tier |
|---|---|---|---|
| Technique | Indirect Command Executiont1202 | 100% | live |
| Technique | Ingress Tool Transfert1105 | 100% | live |
| Technique | System Binary Proxy Executiont1218 | 100% | live |
Abuses2
| Type | Target | Confidence | Tier |
|---|---|---|---|
| Technique | Ingress Tool Transfert1105 | 85% | live |
| Technique | System Binary Proxy Executiont1218 | 85% | live |
Related by meaning· 6
Nearest entities by semantic similarity across the cs-graph corpus.