This detection rule aims to identify potential malicious activity related to the export of a Certificate Signing Request (CSR) on Exchange Webservers. It specifically looks for scenarios where a CSR is written to unconventional directories or given an atypical filename that includes the '.aspx' suffix, which could indicate an attempt to place a web shell or execute unauthorized scripts. The rule operates by monitoring command executions that are commonly associated with CSR generation like 'New-ExchangeCertificate', combined with specific parameters that suggest a write to sensitive locations on the server (C$ shares, inetpub folder). Given the critical level of this detection, it targets a persistent attack vector that could lead to privilege escalation and system compromise.