This detection rule identifies attempts to install or use Kali Linux via Windows Subsystem for Linux (WSL) on Windows systems. Adversaries may leverage WSL to bypass traditional security measures, allowing them to run Linux distributions within a Windows environment. The rule is written in EQL (Event Query Language) and is applicable to various data sources, including Windows event logs and endpoint detection solutions. The detection focuses on the execution of the 'wsl.exe' process with specific arguments indicating the installation or invocation of Kali Linux. This is supplemented by monitoring access to known file paths associated with the Kali Linux installation. The rule operates in real-time, triggering alerts for suspicious activities detected in the last nine months and classified as high risk with a score of 73. The investigation guide outlines potential analysis strategies to determine the validity of the alerts, steps for incident response, and considerations for false positives while emphasizing the importance of keeping security measures effective against potential misuse of WSL for defense evasion.