This detection rule identifies attempts to use the Windows Update Client binary (wuauclt.exe) for proxy execution, a method often leveraged by malicious actors, including North Korean threat groups, to evade detection while executing payloads. The rule is designed to alert on specific command line properties and the presence of the known executable, ensuring that any unexpected behavior associated with wuauclt.exe is flagged. It utilizes a combination of selections and filters based on the command line arguments typically associated with legitimate use versus those that indicate malicious intent. Effective monitoring of the execution and associated commands can help in early detection of compromise, especially when such processes run with elevated privileges. False positives may occur, making ongoing refinement and context evaluation essential for organization defenders.