← Back to Explore
sigmahighHunting
Installation of WSL Kali-Linux
Detects installation of Kali Linux distribution through Windows Subsystem for Linux (WSL). Attackers may use Kali Linux WSL to leverage its penetration testing tools and capabilities for malicious purposes.
Detection Query
selection_wsl_img:
- Image|endswith: \wsl.exe
- OriginalFileName: wsl
selection_wsl_install:
CommandLine|contains:
- " --install "
- " -i "
selection_wsl_kali:
CommandLine|contains: kali
condition: all of selection_wsl_*
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Created
2025-10-10
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.executionattack.t1059
Raw Content
title: Installation of WSL Kali-Linux
id: eca8ae39-5c3c-4321-b538-9e64fe25822e
status: experimental
description: |
Detects installation of Kali Linux distribution through Windows Subsystem for Linux (WSL).
Attackers may use Kali Linux WSL to leverage its penetration testing tools and capabilities for malicious purposes.
references:
- https://medium.com/@redfanatic7/running-kali-linux-on-windows-51ad95166e6e
- https://learn.microsoft.com/en-us/windows/wsl/install
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-10
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_wsl_img:
- Image|endswith: '\wsl.exe'
- OriginalFileName: 'wsl'
selection_wsl_install:
CommandLine|contains:
- ' --install '
- ' -i '
selection_wsl_kali:
CommandLine|contains: 'kali'
condition: all of selection_wsl_*
falsepositives:
- Legitimate installation or usage of Kali Linux WSL by administrators or security teams
level: high