This detection rule aims to identify the installation of Kali Linux via the Windows Subsystem for Linux (WSL). Kali Linux is a popular Linux distribution used for penetration testing and security auditing, which attackers may leverage for malicious activities when installed on a Windows system. The rule monitors process creation events specifically looking for the execution of 'wsl.exe' along with command line arguments indicating the installation of Kali Linux. It does this by checking for known command line patterns that include installation flags and the presence of 'kali' in the command line input. Given the potential misuse of Kali tools by unauthorized users, detecting its installation is critical for maintaining security within Windows environments.