This detection rule identifies the execution of SharpWSUS and WSUSpendu, tools used to facilitate lateral movement within networks utilizing Windows Server Update Services (WSUS). These utilities exploit the WSUS infrastructure allowing adversaries to bypass segmentation controls and move across different hosts. The identification methodology involves monitoring command-line parameters for specific indicators associated with these tools. Instances are flagged when command-line arguments contain suspicious patterns typical of malicious activity using SharpWSUS or WSUSpendu, such as '-Inject', '-PayloadArgs', '-PayloadFile', and various 'approve', 'create', 'check', 'delete' commands for SharpWSUS. The detection is executed through process creation events and may trigger alerts depending on the command-line content observed. This rule is pertinent given the high potential impact of lateral movement tools in an enterprise environment. Understanding and mitigating the risks associated with such utilities is crucial in maintaining robust cybersecurity protocols.