This detection rule identifies suspicious execution of Linux commands through the Windows Subsystem for Linux (WSL) on Windows systems. WSL allows the execution of Linux binaries natively, which adversaries may exploit to run Linux commands while evading detection. The rule is implemented using EQL (Event Query Language) and watches for specific executable paths, command-line arguments, and parent-child process relationships to flag unusual activity. It targets events from various logs including Winlogbeat and Microsoft Defender for Endpoint, focusing on processes that deviate from expected behaviors. The primary indicators include the execution of 'bash.exe' or its equivalents under contexts that are atypical for legitimate usage. Given the potential for false positives due to common development activities or legitimate WSL use, careful triage and investigation steps are included to mitigate noise and verify alerts. The detection aligns with the MITRE ATT&CK framework, mapping techniques used for defense evasion and execution.