WSL Kali-Linux Usage

 1title: WSL Kali-Linux Usage
 2id: 6f1a11aa-4b8a-4b7f-9e13-4d3e4ff0e0d4
 3status: experimental
 4description: Detects the use of Kali Linux through Windows Subsystem for Linux
 5references:
 6    - https://medium.com/@redfanatic7/running-kali-linux-on-windows-51ad95166e6e
 7    - https://learn.microsoft.com/en-us/windows/wsl/install
 8author: Swachchhanda Shrawan Poudel (Nextron Systems)
 9date: 2025-10-10
10tags:
11    - attack.defense-evasion
12    - attack.t1202
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_img_appdata:
18        - Image|contains|all:
19              - ':\Users\'
20              - '\AppData\Local\packages\KaliLinux'
21        - Image|contains|all:
22              - ':\Users\'
23              - '\AppData\Local\Microsoft\WindowsApps\kali.exe'
24    selection_img_windowsapps:
25        Image|contains: ':\Program Files\WindowsApps\KaliLinux.'
26        Image|endswith: '\kali.exe'
27    selection_kali_wsl_parent:
28        ParentImage|endswith:
29            - '\wsl.exe'
30            - '\wslhost.exe'
31    selection_kali_wsl_child:
32        - Image|contains:
33              - '\kali.exe'
34              - '\KaliLinux'
35        - CommandLine|contains:
36              - 'Kali.exe'
37              - 'Kali-linux'
38              - 'kalilinux'
39    filter_main_install_uninstall:
40        CommandLine|contains:
41            - ' -i '
42            - ' --install '
43            - ' --unregister '
44    condition: 1 of selection_img_* or all of selection_kali_* and not 1 of filter_main_*
45falsepositives:
46    - Legitimate installation or usage of Kali Linux WSL by administrators or security teams
47level: high

References

• Running Kali Linux on Windows

  

  I recently configured my device to run Windows and Kali Linux nonstop using WSL2, which has improved my workflow. I’ve tried various…

  
  Read More

• Install WSL

  

  Install Windows Subsystem for Linux with the command, wsl --install. Use a Bash terminal on your Windows machine run by your preferred Linux distribution - Ubuntu, Debian, SUSE, Kali, Fedora, Pengwin, Alpine, and more are available.

  
  Read More

Related rules

• Potentially Suspicious Child Processes Spawned by ConHost
• Uncommon Child Process Of Conhost.EXE
• Potential Arbitrary Command Execution Using Msdt.EXE
• Potential Arbitrary Command Execution Via FTP.EXE
• Suspicious Cabinet File Execution Via Msdt.EXE