This analytic detects the execution of the gpupdate.exe process without any command line arguments along with active network connections. Utilizing Endpoint Detection and Response (EDR) telemetry, it identifies instances where gpupdate.exe is run, which is traditionally expected to include specific command line parameters. The absence of these parameters in conjunction with network activity raises alarm as it can indicate potential misuse of the process for malicious purposes, such as lateral movement or establishing command and control by attackers, particularly those using tools like Cobalt Strike. This detection mechanism aims to mitigate risks associated with such suspicious behavior and possible system compromises by alerting security personnel to investigate further.