diff --git a/datasets/attack_techniques/T1505.003/T1505.003.yml b/datasets/attack_techniques/T1505.003/T1505.003.yml
index cfe9f89c..baa75c20 100644
--- a/datasets/attack_techniques/T1505.003/T1505.003.yml
+++ b/datasets/attack_techniques/T1505.003/T1505.003.yml
@@ -1,6 +1,6 @@
 author: Michael Haag
 id: cc9b2609-efc9-11eb-926b-550bf0943fbb
-date: '2021-03-11'
+date: '2025-10-24'
 description: The following data was produced to emulate IIS, w3wp.exe, spawning shells,
   simulating web shell activity. In addition, behavior related to Microsoft Exchange
   Server's Unified Messaging services, umworkerprocess.exe and umservice.exe, spawning
@@ -28,3 +28,7 @@ datasets:
   path: /datasets/attack_techniques/T1505.003/moveit_windows-sysmon.log
   sourcetype: XmlWinEventLog
   source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+- name: wsus-windows-sysmon
+  path: /datasets/attack_techniques/T1505.003/wsus-windows-sysmon.log
+  sourcetype: XmlWinEventLog
+  source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
diff --git a/datasets/attack_techniques/T1505.003/wsus-windows-sysmon.log b/datasets/attack_techniques/T1505.003/wsus-windows-sysmon.log
new file mode 100644
index 00000000..141a3922
--- /dev/null
+++ b/datasets/attack_techniques/T1505.003/wsus-windows-sysmon.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f9a4be69d25d2c39be02a4288f75780b4e34a80d3555a8900e4f7a3c977ec220
+size 13290