Built off the open source project Osquery
Description: This query looks for Windows endpoints with WSL feature enabled
What The Data Shows: It provides the list of endpoints with WSL enabled. Some Linux malwares can now infect Windows OS from WSL.
SQL: SELECT * FROM windows_optional_features WHERE name = 'Microsoft-Windows-Subsystem-Linux' AND state = 1
> Requirement: Windows only
Jon N. made some changes to detect if it was running currently:
with p as ( select case when count(name) > 0 then 'TRUE' when count(name) = 0 then 'FALSE' end 'wsl_running', 1 as 'one' from processes where name in ('wsl.exe','wslhost.exe') ), wof as ( select *, case statename when 'Enabled' then 'TRUE' when 'Disabled' then 'FALSE' end 'wsl_enabled', 1 as 'one' from windows_optional_features as wof where name = 'Microsoft-Windows-Subsystem-Linux' and state = 1 ) select wof.name,wof.caption,wof.state,wof.wsl_enabled,p.wsl_running from wof join p using(one);