WSL

Overview

Evidence: WSL Description: Collect Windows Subsystem for Linux Files Category: Applications Platform: windows Short Name: wsl Is Parsed: No Sent to Investigation Hub: No Collect File(s): Yes

Background

Windows Subsystem for Linux (WSL) stores Linux user files including bash history, bash configuration, and logout scripts in the WSL distribution's file system. These files track Linux command history and shell configurations.

Data Collected

This collector gathers structured data about wsl.

Collection Method

This collector gathers bash history, bashrc configuration, and bash logout files from WSL distribution packages in LocalState directories.

Forensic Value

WSL files reveal Linux commands executed, scripts run, development activities, and potentially malicious commands issued through the Linux subsystem. Bash history is critical for identifying attacker activities, privilege escalation attempts, and data exfiltration through WSL.

PreviousWordWheelQuery NextXeox Logs

Last updated 3 days ago

Was this helpful?