This detection rule targets potential enumeration of Active Directory Certificate Services (AD CS) by threat actors using tools such as Certipy and Certify.exe. These tools can exploit misconfigurations in certificate services, presenting an opportunity for privilege escalation or lateral movement within a network. The rule focuses on monitoring specific Windows security events and file access operations related to the certificates. Specifically, it watches for event ID 5145, which tracks file access related to certificate authority data, as well as process creation events (event ID 4688) for known enumeration tools. The logic used in this detection rule queries the endpoint data for any processes that meet these criteria within the last two hours, filtering for Windows platforms and excluding benign tools like find.exe. The incorporation of regular expressions allows for flexible matching of various tool names associated with potential certificate enumeration.