← Back to SOC feed Coverage →

WSL Kali-Linux Usage

sigma HIGH SigmaHQ
T1202
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-24T11:00:00Z · Confidence: low

Hunt Hypothesis

Detects the use of Kali Linux through Windows Subsystem for Linux

Detection Rule

Sigma (Original)

title: WSL Kali-Linux Usage
id: 6f1a11aa-4b8a-4b7f-9e13-4d3e4ff0e0d4
status: experimental
description: Detects the use of Kali Linux through Windows Subsystem for Linux
references:
    - https://medium.com/@redfanatic7/running-kali-linux-on-windows-51ad95166e6e
    - https://learn.microsoft.com/en-us/windows/wsl/install
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-10
tags:
    - attack.stealth
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection_img_appdata:
        - Image|contains|all:
              - ':\Users\'
              - '\AppData\Local\packages\KaliLinux'
        - Image|contains|all:
              - ':\Users\'
              - '\AppData\Local\Microsoft\WindowsApps\kali.exe'
    selection_img_windowsapps:
        Image|contains: ':\Program Files\WindowsApps\KaliLinux.'
        Image|endswith: '\kali.exe'
    selection_kali_wsl_parent:
        ParentImage|endswith:
            - '\wsl.exe'
            - '\wslhost.exe'
    selection_kali_wsl_child:
        - Image|contains:
              - '\kali.exe'
              - '\KaliLinux'
        - CommandLine|contains:
              - 'Kali.exe'
              - 'Kali-linux'
              - 'kalilinux'
    filter_main_install_uninstall:
        CommandLine|contains:
            - ' -i '
            - ' --install '
            - ' --unregister '
    condition: 1 of selection_img_* or all of selection_kali_* and not 1 of filter_main_*
falsepositives:
    - Legitimate installation or usage of Kali Linux WSL by administrators or security teams
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (((TargetProcessName contains ":\\Users\\" and TargetProcessName contains "\\AppData\\Local\\packages\\KaliLinux") or (TargetProcessName contains ":\\Users\\" and TargetProcessName contains "\\AppData\\Local\\Microsoft\\WindowsApps\\kali.exe")) or (TargetProcessName contains ":\\Program Files\\WindowsApps\\KaliLinux." and TargetProcessName endswith "\\kali.exe")) or ((((ParentProcessName endswith "\\wsl.exe" or ParentProcessName endswith "\\wslhost.exe") or (ActingProcessName endswith "\\wsl.exe" or ActingProcessName endswith "\\wslhost.exe")) and ((TargetProcessName contains "\\kali.exe" or TargetProcessName contains "\\KaliLinux") or (TargetProcessCommandLine contains "Kali.exe" or TargetProcessCommandLine contains "Kali-linux" or TargetProcessCommandLine contains "kalilinux"))) and (not((TargetProcessCommandLine contains " -i " or TargetProcessCommandLine contains " --install " or TargetProcessCommandLine contains " --unregister "))))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_wsl_kali_linux_usage.yml