This detection rule identifies suspicious file drops by an Exchange server component (specifically the IIS worker process, w3wp.exe) into directories commonly associated with IIS, particularly looking for ASPX files that indicate potential webshell activity. The rule checks for the presence of the MSExchange command line indicator along with the specific target file paths that are known locations for file uploads in an IIS environment. If an ASPX file is dropped into these paths, it likely indicates an attack utilizing vulnerabilities (CVE-2022-41040 and CVE-2022-41082) that were exploited in Exchange servers. The rule employs a combination of filename checks and command line monitoring to effectively flag suspicious behavior, offering timely alerts to potential persistence mechanisms used by attackers to gain control over affected systems.