This query identifies known file names and paths observed during exploitation
dataset = xdr_data
| fields _time, agent_hostname, causality_actor_process_image_name, actor_process_image_name, actor_process_command_line, action_file_name, action_file_path, action_file_sha256, event_type, event_sub_type
| filter event_type = ENUM.FILE and event_sub_type in (ENUM.FILE_WRITE, ENUM.FILE_CREATE_NEW) and (lowercase(action_file_path) in ("c:\program files\common files\microsoft shared\web server extensions\16\template\layouts\spinstall0.aspx","c:\program files\common files\microsoft shared\web server extensions\15\template\layouts\spinstall0.aspx", "c:\program files\common files\microsoft shared\web server extensions\16\template\layouts\debug_dev.js") or lowercase(action_file_name) = "spinstall0.aspx") and lowercase(actor_process_image_name) = "powershell.exe"