This detection rule aims to identify and flag attempts to exploit a potential vulnerability in Internet Information Services (IIS) when running an outdated version of the .NET Framework. The vulnerability involves the ability to enumerate internal folder structures by using a specific query string pattern that includes the tilde symbol (~). The rule focuses on HTTP requests that meet certain criteria, including containing the sequence '~1', ending with 'a.aspx', being permissible with the GET or OPTIONS methods, and returning either a 200 OK or a 301 Moved Permanently status. By detecting these specific patterns in web server logs, security teams can gain insight into potential reconnaissance activities being conducted against their web applications, enabling timely response to threats that could lead to unauthorized access or further exploitation. This rule is particularly important for web server environments that are running older versions of IIS without the latest security updates.