The detection rule 'Execution via Windows Subsystem for Linux' is designed to identify malicious attempts to execute programs on a Windows host using the Windows Subsystem for Linux (WSL). Adversaries may exploit WSL to evade traditional detection mechanisms, allowing them to run potentially harmful binaries or scripts. The rule targets processes initiated by known WSL-related executables (wsl.exe, wslhost.exe) and applies a series of conditions to filter out legitimate use cases based on executable paths. By examining events in specified indexes, the rule not only flags suspicious activity but also allows analysts to investigate further through correlation with additional data sources. The investigation guide offers structured approaches for analysis and response, emphasizing the importance of accurately distinguishing between malicious and legitimate WSL utilization.