Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)

Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.

Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn’t contain any command line flags

Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation

This rule detects suspicious processes with parent images located in the C:\Users\Public folder