This detection rule identifies attempts by adversaries to enable the Windows Subsystem for Linux (WSL) on Windows systems using the DISM (Deployment Image Service and Management Tool) utility. The presence of WSL allows attackers to operate Linux applications on a Windows platform, which may help them evade detection by security solutions. The rule operates by monitoring the execution of DISM and checking if its command line includes the string 'Microsoft-Windows-Subsystem-Linux'. Investigative recommendations include verifying the legitimacy of the action by the user account executing DISM and assessing whether this action aligns with approved administrative procedures. False positives are acknowledged given that DISM is a legitimate tool often used in administrative contexts, and its use may not indicate malicious intent when approved and known within the environment.