This detection rule identifies the creation of suspicious ASPX files in common drop locations associated with Exchange exploitation. Specifically, it targets paths related to vulnerabilities linked to the HAFNIUM group, as well as exploits named ProxyShell and ProxyNotShell. The rule processes data from the Endpoint datamodel, monitoring both process and filesystem events to detect potential web shell deployments. This behavior could signify an attacker's attempts for persistent access and the capability of executing arbitrary commands within the Exchange environment. If such activities are confirmed as malicious, they can lead to unauthorized access and privilege escalation.