This analytic rule is designed to detect the creation of new ASPX files within the MOVEit Transfer application's `wwwroot` directory. It utilizes endpoint data captured from Sysmon Event ID 11 to monitor process and filesystem activities. The creation of ASPX files in this path is particularly concerning as it may signal the exploitation of a critical zero-day vulnerability that has been leveraged by malicious actors to deploy harmful files within the MOVEit Transfer environment. Potential consequences of such actions include the unauthorized exfiltration of sensitive user data, file metadata, and credentials, which pose significant security threats to organizations utilizing this application. This detection rule is essential for identifying anomalous behaviors that may indicate a breach involving the MOVEit Transfer application, allowing organizations to respond swiftly to mitigate harm.