This rule identifies suspicious file write activities targeting the SharePoint layouts directory, which are indicators of potential webshell deployment or post-exploitation activities. It specifically focuses on file writes that may exploit known vulnerabilities in SharePoint, including CVE-2025-49704, CVE-2025-49706, and CVE-2025-53770. The Detection Logic captures events where certain executables (such as cmd.exe, powershell.exe, and w3wp.exe) are used to create or modify files with specific extensions in designated SharePoint directories. Due to the nature of these actions, they can signify malicious intent, particularly in the context of initial access and persistence mechanisms in an attack.