This rule detects changes to the Windows Registry that indicate the installation of a new Windows Subsystem for Linux (WSL) distribution. Adversaries may exploit WSL to execute Linux applications on a Windows host while evading detection mechanisms. The detection is triggered by registry events indicating modifications within the WSL configuration path. Analysts are encouraged to investigate the user account responsible, the specific distribution installed, and to review related user activities to determine if the behavior is malicious or authorized. Given that tools like WSL can be dual-use, proper context is essential to avoid false positives. Additional guidance on incident response and remediation steps is provided to analysts to ensure thorough investigation and appropriate actions are taken if malicious activity is confirmed.