[Tuning/New] Solarwinds Post Exploit (#5696)

* [Tuning/New] Solawrwinds Post Exploit

https://www.huntress.com/blog/active-exploitation-solarwinds-web-help-desk-cve-2025-26399

- new rule for tunneling using QEMU
- added few websvc domains .cloud.es.io, files.catbox.moe and  supabase.co
- added javaw to the solarwinds rule
- added ZOHO and Velociraptor to the new term RMM rule.

* Update initial_access_potential_webhelpdesk_exploit.toml

* Update rules/windows/command_and_control_common_webservices.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* ++

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

rules/windows/initial_access_potential_webhelpdesk_exploit.toml

@@ -2,7 +2,7 @@
 creation_date = "2026/02/02"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2026/02/02"
+updated_date = "2026/02/09"
 
 [rule]
 author = ["Elastic"]
@@ -85,7 +85,7 @@ any where host.os.type == "windows" and
   (dll.path : "\\Device\\Mup\\*" or dll.code_signature.trusted == false or ?dll.code_signature.exists == false)) or
 
  (event.category == "process" and process.name : ("cmd.exe", "powershell.exe", "rundll32.exe") and
-  process.parent.executable : ("C:\\Program Files\\WebHelpDesk\\*\\java.exe", "C:\\Program Files (x86)\\WebHelpDesk\\*\\java.exe"))
+  process.parent.executable : ("C:\\Program Files\\WebHelpDesk\\*\\java*.exe", "C:\\Program Files (x86)\\WebHelpDesk\\*\\java*.exe"))
 )
 '''