logo

Query Exchange

Built off the open source project Osquery

The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Windows with WSL enabled

Status: Approved Submitted by on ‎09-20-2021 05:54 AM

Description: This query looks for Windows endpoints with WSL feature enabled

What The Data Shows: It provides the list of endpoints with WSL enabled. Some Linux malwares can now infect Windows OS from WSL.

SQL: SELECT * FROM windows_optional_features WHERE name = 'Microsoft-Windows-Subsystem-Linux' AND state = 1

> Requirement: Windows only

Tags (1)
Comment
2 Comments
slist
Carbon Black Employee
‎09-21-2021 02:34 AM
‎09-21-2021 02:34 AM

Jon N. made some changes to detect if it was running currently:

 

with p as (
    select 
        case 
            when count(name) > 0
            then 'TRUE'
            when count(name) = 0 
            then 'FALSE'
        end 'wsl_running',
    1 as 'one'
    from processes 
    where name 
        in ('wsl.exe','wslhost.exe')
),
wof as (
    select *,
        case statename
            when 'Enabled'
            then 'TRUE'
            when 'Disabled'
            then 'FALSE'
        end 'wsl_enabled',
        1 as 'one' 
    from windows_optional_features as wof
    where name = 'Microsoft-Windows-Subsystem-Linux' 
        and state = 1
)
select wof.name,wof.caption,wof.state,wof.wsl_enabled,p.wsl_running
from wof
join p using(one);
jnelson
Carbon Black Employee
‎09-21-2021 11:06 AM
‎09-21-2021 11:06 AM
Status changed to: Approved
 
logo