This detection rule is designed to identify and flag suspicious activities involving the Microsoft Exchange Server, particularly focusing on processes spawned by the web worker process (w3wp.exe). This activity may signify an exploitation attempt or unauthorized access through web shells. The rule applies to a specific timeframe and utilizes various log indices including Windows event logs and endpoint process logs to track the execution of commands through w3wp.exe. It flags instances where command-line interpreters such as cmd.exe or PowerShell are initiated by w3wp.exe, particularly under certain application pool arguments indicating potential malicious behavior. The rule carries a high severity score, alerting security personnel to investigate possible unauthorized actions taking place within Exchange Server environments.