This detection rule identifies suspicious activity involving the export of certificates via PowerShell. Specifically, it targets calls to the cmdlets `Export-PfxCertificate` and `Export-Certificate` that indicate attempts to extract certificates from the local certificate store. The rule is crucial in monitoring potentially malicious behavior associated with credential theft on compromised systems, as threat actors can exploit these cmdlets to steal private keys. For effective detection, PowerShell's Script Block Logging must be enabled, which records PowerShell commands executed in the environment. The detection logic filters out legitimate uses of these cmdlets, focusing on those that meet the specified conditions. The rule has been created as a result of insights from various threat reports and community knowledge, with references provided for further study.