This detection rule identifies the use of the PowerShell cmdlet `export-pfxcertificate`, an operation that can signify an adversary attempting to exfiltrate certificates from the Windows Certificate Store. Such behavior is critical to monitor as it may lead to unauthorized access and impersonation attacks. The detection leverages PowerShell Script Block Logging (Event Code 4104) to capture when this cmdlet is run. Certificate theft can allow attackers to undermine secure communications and potentially escalate privileges within a network. To implement this detection, PowerShell Script Block Logging must be enabled on relevant endpoints.